Verify repository's key

asked 2014-06-20 09:16:22 -0500

bwildenhain
73 ●2 ●3 ●6

Hi,

According to wiki.ros.org/hydro/Installation/Debian to install ROS on Debian, the GnuPG-key used to sign the repository should be installed by using

wget packages.ros.org/ros.key -O - | sudo apt-key add -

However, the key stored in ros.key hasn't been signed by anyone and the server doesn't support HTTPS. So this key doesn't provide much security against person-in-the-middle-attacks. Would it be possible to have this key signed by admins or developers actively using GnuPG/PGP (i.e. they already participated a key-signing-party or otherweise exchanged they public key with some people), who can assure, that this is the genuine archive's key? Is there any SSL-enabled webserver available which could be used to provide the key?

Kind regards, B. Wildenhain

edit retag flag offensive close merge delete

Comments

@William @tfoote

demmeln ( 2014-06-20 10:21:18 -0500 )edit

add a comment

2

answered 2014-06-20 14:15:07 -0500

tfoote

58457 ●128 ●550 ●526 http://www.ros.org/

updated 2019-07-08 11:31:48 -0500

gvdhoorn
86574 ●283 ●1432 ●1054 http://cor.tudelft.nl/

The key is now available on keyserver.ubuntu.com

The wget line can be replaced with

sudo -E apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

Please test that it works and then we can update the installation instructions.

Update:

It is also now available from the ros/rosdistro repoon GitHub over https at: https://raw.githubusercontent.com/ros...

Or of course you can get it via git over ssh.

edit flag offensive delete link

Comments

1

Thanks, looks good :-)

bwildenhain ( 2014-06-20 16:47:30 -0500 )edit

There seems to be some kind of issue with the apt-key adv... command you provided on kinetic with Ubuntu 16.04, I had to manually download the key then do sudo apt-key add ros.key

ajm ( 2019-07-08 09:35:00 -0500 )edit

2

@ajm: I believe you're actually running into #q325039. The keys have changed since this answer was posted.

Edit: I've edited the answer by @tfoote and updated the command and the key.

gvdhoorn ( 2019-07-08 11:30:47 -0500 )edit

Thanks for the update. I can confirm that it now works in a more secure way. However, I would suggest the following two lines to adapt the code for Debian users, which are not using oldoldstable (current version is buster). The signed-by approch is suggested by https://wiki.debian.org/DebianReposit...

sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/ros.org-keyring.gpg] http://packages.ros.org/ros/ubuntu $(lsb_release -s -c) main" > /etc/apt/sources.list.d/ros-latest.list'
wget https://raw.githubusercontent.com/ros... -O - | gpg --dearmor | sudo dd of=/usr/share/keyrings/ros.org-keyring.gpg

bwildenhain ( 2019-07-18 10:03:06 -0500 )edit

add a comment

1

answered 2014-06-20 15:17:40 -0500

bwildenhain
73 ●2 ●3 ●6

I can get the key from the server, but it doesn't increase security: The HKP protocol used to communicate with keyserver is based on HTTP, not on HTTPS. Quote from https://tools.ietf.org/html/draft-sha... : "all search results must be regarded as untrustworthy and informational only"

edit flag offensive delete link

add a comment

Verify repository's key

Comments

2 Answers

Comments

Question Tools

Stats

Related questions

Verify repository's key edit

Comments

2 Answers

Comments

Question Tools

Stats

Related questions

Verify repository's key