Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Edit apt-get installation instructions #50033

Merged
merged 2 commits into from
Jan 16, 2025
Merged

Edit apt-get installation instructions #50033

merged 2 commits into from
Jan 16, 2025

Conversation

ptgott
Copy link
Contributor

@ptgott ptgott commented Dec 10, 2024

Closes #24564

Show using /etc/apt/trusted.gpg.d, a directory that apt-get searches automatically, for storing public keys. Edit the three locations where we showed using /usr/share/keyrings, including two partials.

@ptgott ptgott added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v15 backport/branch/v16 backport/branch/v17 labels Dec 10, 2024
@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-87l9dkb0j-goteleport.vercel.app/docs

@marcoandredinis
Copy link
Contributor

Using the [signed-by=<pubkey>] in the /etc/apt/sources.list.d/teleport.list file, we ensure only that key is considered when validating the teleport deb package.

By removing this option, we are saying that any globally installed pub key in /etc/apt/trusted.gpg.d/ is considered when validating the teleport deb package.
It changes things slightly in terms of security invariants.

I'm raising this topic because I'm also interested in applying this change to Server Auto Discover scripts and JoinScript.
If this PR is merged, I'll change those places as well.

@ptgott ptgott force-pushed the paul.gottschling/24564-publickey branch from e5c17d6 to b9c926b Compare December 11, 2024 18:59
@ptgott
Copy link
Contributor Author

ptgott commented Dec 11, 2024

Using the [signed-by=<pubkey>] in the /etc/apt/sources.list.d/teleport.list file, we ensure only that key is considered when validating the teleport deb package.

By removing this option, we are saying that any globally installed pub key in /etc/apt/trusted.gpg.d/ is considered when validating the teleport deb package. It changes things slightly in terms of security invariants.

I'm raising this topic because I'm also interested in applying this change to Server Auto Discover scripts and JoinScript. If this PR is merged, I'll change those places as well.

Thanks for the context! I've responded to your feedback in b9c926b.

@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-cnxm0yhma-goteleport.vercel.app/docs

@ptgott ptgott force-pushed the paul.gottschling/24564-publickey branch from b9c926b to 3424625 Compare December 13, 2024 21:06
@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-nsg6a0wo4-goteleport.vercel.app/docs

@marcoandredinis marcoandredinis mentioned this pull request Dec 16, 2024
Merged
@ptgott ptgott force-pushed the paul.gottschling/24564-publickey branch from 3424625 to 92eb237 Compare December 18, 2024 19:14
@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-oldxixerp-goteleport.vercel.app/docs

@ptgott ptgott force-pushed the paul.gottschling/24564-publickey branch from 92eb237 to f31f1c2 Compare December 24, 2024 13:57
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 24, 2024
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
paul.gottschling/24564-publickey 0f670ec 2 ✅SUCCEED paul-gottschling-24564-publickey 2025-01-16 14:11:09

zmb3
zmb3 approved these changes Dec 26, 2024
View reviewed changes
Copy link
Collaborator

@zmb3 zmb3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if Marco is good with it. Not my area of expertise.

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from r0mant December 26, 2024 18:02
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from xinding33 December 26, 2024 18:02
@ptgott
Copy link
Contributor Author

ptgott commented Dec 27, 2024

@marcoandredinis Just double-checking if this is okay. Thanks!

@marcoandredinis
Copy link
Contributor

After reading this comment #50273 (review) cc @gzdunek
I think we should download the public key into /etc/apt/keyrings/ (we might need to add mkdir -p /etc/apt/keyrings/ before writing to it)

@ptgott ptgott marked this pull request as draft January 6, 2025 14:44
@marcoandredinis
Copy link
Contributor

@ptgott It seems that you marked the PR as draft. Do you want me to follow up on this one? Or is there anything blocking the last suggestion?

ptgott added 2 commits January 16, 2025 08:53
@ptgott
Edit apt-get installation instructions
30cfecc 
Closes #24564

Show using `/etc/apt/trusted.gpg.d`, a directory that `apt-get` searches
automatically, for storing public keys. Edit the three locations where
we showed using `/usr/share/keyrings`, including two partials.

Trust only the Teleport-issued public key when validating Teleport DEB
packages.
@ptgott
Use /etc/apt/keyrings for apt public keys
0f670ec 
Respond to marcoandredinis feedback.
@ptgott ptgott force-pushed the paul.gottschling/24564-publickey branch from f31f1c2 to 0f670ec Compare January 16, 2025 14:04
@ptgott ptgott marked this pull request as ready for review January 16, 2025 14:04
@ptgott
Copy link
Contributor Author

ptgott commented Jan 16, 2025

After reading this comment #50273 (review) cc @gzdunek I think we should download the public key into /etc/apt/keyrings/ (we might need to add mkdir -p /etc/apt/keyrings/ before writing to it)

@marcoandredinis I wanted to make sure this wouldn't get merged while I prioritized other things, but now I've made the change and this is ready for another look. Thanks!

@ptgott ptgott added this pull request to the merge queue Jan 16, 2025
Merged via the queue into master with commit 84dd3da Jan 16, 2025
45 checks passed
@ptgott ptgott deleted the paul.gottschling/24564-publickey branch January 16, 2025 14:44
@public-teleport-github-review-bot
Copy link

@ptgott See the table below for backport results.

Branch Result
branch/v15 Failed
branch/v16 Failed
branch/v17 Create PR

@ptgott ptgott mentioned this pull request Jan 16, 2025
Merged
ptgott added a commit that referenced this pull request Jan 16, 2025
@ptgott
Use /etc/apt/keyrings for apt public keys
d0049bc 
Edit apt-get installation instructions. Backports #50033.
@ptgott ptgott mentioned this pull request Jan 16, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jan 17, 2025
@ptgott
Use /etc/apt/keyrings for apt public keys (#51129)
3a002ec 
Edit apt-get installation instructions. Backports #50033.
mvbrock pushed a commit that referenced this pull request Jan 18, 2025
@ptgott @mvbrock
Edit apt-get installation instructions (#50033)
ef811b3 
* Edit apt-get installation instructions

Closes #24564

Show using `/etc/apt/trusted.gpg.d`, a directory that `apt-get` searches
automatically, for storing public keys. Edit the three locations where
we showed using `/usr/share/keyrings`, including two partials.

Trust only the Teleport-issued public key when validating Teleport DEB
packages.

* Use /etc/apt/keyrings for apt public keys

Respond to marcoandredinis feedback.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@mmcallister mmcallister Awaiting requested review from mmcallister

@zmb3 zmb3 Awaiting requested review from zmb3

Assignees
No one assigned
Labels
backport/branch/v15 backport/branch/v16 backport/branch/v17 documentation no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[v.12.x] /docs/pages/installation.mdx suggests adding apt-key to wrong place on the filesystem
4 participants
@ptgott @marcoandredinis @mmcallister @zmb3