Insecure manual to install albert on Open Build Service

[graue70]

On https://software.opensuse.org/download.html?project=home:manuelschneid3r&package=albert, there is a manual on how to install albert. For example, for 22.04, it contains these lines:

echo 'deb http://download.opensuse.org/repositories/home:/manuelschneid3r/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/home:manuelschneid3r.list
curl -fsSL https://download.opensuse.org/repositories/home:manuelschneid3r/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home_manuelschneid3r.gpg > /dev/null
sudo apt update
sudo apt install albert

As explained in detail in https://askubuntu.com/a/1307181 (the question is a different one, but the answer still explains the problem), these commands are insecure and not recommended.

This is a suggestion on how to improve them:

wget -qO- https://download.opensuse.org/repositories/home:manuelschneid3r/xUbuntu_22.04/Release.key | gpg --dearmor > manuelschneid3r-albert-keyring.gpg
cat manuelschneid3r-albert-keyring.gpg | sudo tee /usr/share/keyrings/manuelschneid3r-albert-keyring.gpg > /dev/null
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/manuelschneid3r-albert-keyring.gpg] http://download.opensuse.org/repositories/home:/manuelschneid3r/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/home:manuelschneid3r.list
sudo apt update && sudo apt install albert

(The commands can probably be improved further, e.g. by using gpg -o /usr/share/keyrings/manuelschneid3r-albert-keyring.gpg which prevents writing the file to a temporary location.)

[ManuelSchneid3r]

First note that this is out of scope here. The distribution is handled by open build service. I. Can't change it. You have to discuss these kind of things in their irc channel.

The suggestion in this article does not make much sense in my eyes. Keys have to be trusted. If you have one malicious repo key in there you are done. If these are good they won't "cross sign". Technically I think there not much you have to worry about, because even if you are a trusted repository, why would you add your package to another server (I doubt that this is an easy task)? You have your own trusted repository right?

I the end this idea is ineffective, as the article states,

because packages currently can run arbitrary shell code as root in their setup scripts

[ManuelSchneid3r]

Please correct me if I am wrong

[graue70]

I agree with you that it is a small attack vector, but still (one sentence after the one you quoted):

Closing off one attack vector doesn't hurt, though, and progress is (slowly) being made on other fronts.

Also, Signal probably has some knowledgeable security experts and they promote this method, too: https://signal.org/download/linux/

[ManuelSchneid3r]

Yeah I agree it won't hurt. I am not in the position to change anything at OBS. Sure we could have dedicated install scripts. But then these would have to be maintained. Imho it's not worth the hassle. If you manage to convince devs at open suse several thousands of project would benefit the change. I think it is rather worth the effort discussing this topic in their irc channel.

[graue70]

That page lists only you on the 'users' tab.

I guess I won't pursue this any further.

[ManuelSchneid3r]

Malcom Lewis may be just a regular user. If you post just a github link there even employees may give you that kind of answers. I bet he did not even read the issue.

[ManuelSchneid3r]

@graue70 have you seen the next comment?
Found this https://github.com/openSUSE/software-o-o/blob/5f7c7fd8b34738777ca4376245d9b7d1b71f04a9/app/views/download/package.erb#L64

[graue70]

No I have not seen another comment.

Nice! Now I found this: openSUSE/software-o-o#1189

[ManuelSchneid3r]

There you go. Good luck! Subscribed.