Reputation: 73
Debian package verification
I want to distribute a custom .deb package to all debian pc in my company, with periodic updates.
What's the best strategy to make distribution secure (ex. avoiding man in the middle attack that change my package with a dangerous one...) ?
I need to sign the package or is enough to setup a https private repo and install a signed ssl certificate (i can distribute my CA cert to every pc..) ?
Thank, Igor
Upvotes: 1
Views: 72
Answers (1)
Reputation: 34145
A combination of both. You should sign your packages to make sure that what you're sending is what's installed. Then you should have https on your website, so that you can communicate your key properly.
If it's a completely internal deployment, and you say you can distribute the CA, then you can possibly skip the https/website key distribution and add the repository key using the same mechanism you planned to install the CA.
Upvotes: 1
Related Questions
- How can I check if a package is installed and install it if not?
- Self signed certificate for mobile app and backend from same company
- Secure Nexus against supply chain attacks
- Version of Apache installed on a Debian machine
- SSL Certificate validation
- How to build a Debian/Ubuntu package from source?
- Is it ever safe to set CURLOPT_SSL_VERIFYPEER to FALSE? Even if you control both servers?
- Secure connection to server from PhoneGap without buing SSL certificate
- Established javascript solution for secure registration & authentication without SSL
- SSL Authentication with Certificates: Should the Certificates have a hostname?