Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trusted.gpd.d keys on grafana server installation #38

Open
ally2211 opened this issue Jul 31, 2023 · 0 comments
Open

trusted.gpd.d keys on grafana server installation #38

ally2211 opened this issue Jul 31, 2023 · 0 comments

Comments

@ally2211
Copy link

ally2211 commented Jul 31, 2023

We will need to confirm the use of trusted.gpg.d keys on any installation of grafana as the apt-key is deprecated and creates a security breach for the same keys to be used in other repositories.

The way apt-key works is by adding the keys to the /etc/apt/trusted.gpg file. The apt package manager trusts the keys inside this file. However, it was discovered to be a potential security issue. Your system trusts those keys completely, not just for the packages you added them for. Imagine that you added keys to repository A to get package AA and to repo B to get package BB. Your system will gladly accept package BB signed by the key of repo A. It cannot relate the keys to their respective packages. Hence, there is a potential for a security breach.

Ubuntu doesn’t want you to add all the signature keys in the single /etc/apt/trusted.gpg file. It suggests using a separate file that are located in the /etc/apt/trusted.gpg.d directory.

A good resource - look at step 3 for installation guidance for trusted.gpd.d keys. (The other steps are not applicable and the same can be accomplished other better ways) :
https://www.rosehosting.com/blog/how-to-install-grafana-on-ubuntu-22-04/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant