Skip to content

Integrate GPG signing for Debian repository to prevent package injection attacks #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 4 commits into
base: decemberUpdate
Choose a base branch
from
Draft

Integrate GPG signing for Debian repository to prevent package injection attacks #41

Copilot wants to merge 4 commits into from

Conversation

Copy link

Copilot AI commented Jan 5, 2026
edited
Loading

The Debian repository was published with -skip-signing and instructed clients to use Trusted: yes, removing cryptographic verification. This allowed arbitrary package injection via compromised HTTPS or GitHub Pages.

Changes

Pipeline (azure-pipelines-release.yml)

  • Generate 4096-bit RSA GPG key during deployment
  • Sign repository with aptly publish -gpg-key instead of -skip-signing
  • Export public key to repo/public/log4tc-archive-keyring.gpg and repo/public/dists/stable/

Client Configuration (CONTRIBUTING.md, docs/reference/installation.md)

  • Replace Trusted: yes with Signed-By: /etc/apt/trusted.gpg.d/log4tc-archive-keyring.gpg
  • Add GPG key installation step: wget -qO- https://mbc-engineering.github.io/log4TC/deb/log4tc-archive-keyring.gpg | sudo tee /etc/apt/trusted.gpg.d/log4tc-archive-keyring.gpg

Before:

Types: deb
URIs: https://mbc-engineering.github.io/log4TC/deb
Suites: stable
Components: main
Trusted: yes  # ❌ Bypasses signature verification

After:

Types: deb
URIs: https://mbc-engineering.github.io/log4TC/deb
Suites: stable
Components: main
Signed-By: /etc/apt/trusted.gpg.d/log4tc-archive-keyring.gpg  # ✅ Verifies signatures

Addresses review feedback from PR #40.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Jan 5, 2026
Open
Copilot AI and others added 3 commits January 5, 2026 19:48
@bqstony
Integrate GPG signing for Debian repository
46eee46 
Co-authored-by: bqstony <10487253+bqstony@users.noreply.github.com>
@bqstony
Fix directory creation order for GPG key export
44e57f0 
Co-authored-by: bqstony <10487253+bqstony@users.noreply.github.com>
@bqstony
Use consistent path for GPG key export in CONTRIBUTING.md
3eac8a8 
Co-authored-by: bqstony <10487253+bqstony@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on GPG key integration in Debian support PR Integrate GPG signing for Debian repository to prevent package injection attacks Jan 5, 2026
Copilot AI requested a review from bqstony January 5, 2026 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bqstony bqstony Awaiting requested review from bqstony

Assignees

@bqstony bqstony

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bqstony