CA Certificate

1 reply [Last post]
SabirSaleem90
Offline
Joined: 10/03/2021

Hi,

Sometimes trisquel makes issue when installing any package like CA Certificate is expired due to SSL expires issues.

So I found a solution to go to etc/apt/sources.list

And change https to http meas insecure ssl connection

and then installation seems works.

Now in their software updates CA Certificates Updated and works with https too.

Can someone tell if using http connections for Trisquel Servers for installation packages from their sources not unknown sources is insecure or virus can come from this way.

Any good suggestions are welcome!!!

anedroid
Offline
Joined: 09/29/2021

Debian repositories are usually signed by GnuPG, so it's a additional protection if SSL fails, because e.g. the cert fails, or it will be MitM-ed by CA. Repository keys are stored by default in /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d/*.gpg. You can see and manage them using the apt-key program:


apt-key list – to list all certificates
apt-key add newkey.gpg – to add new key to keystore
apt-key delete 'key ID' – to delete key from keystore

If you don't want to import a key (what is very unreasonable), you can put "[trusted=yes]" before source definition to make apt ignore missing key. You can also point to different key location using "[signed-by=/path/to/key.gpg]", that might be helpful if you don't trust the key and prefer to apply it for one specific source only.

To conclude, you can safely download software using apt and not worry about injected malware, doesn't matter via http or https, unless your configuration doesn't verify signatures. Of course, it's better if repository have SSL enabled and working.

I hope I was helpful.