Skip to main content

A question for Debian/Ubuntu folk...

1 min read

I want to add some third party software to my apt sources.list (in this case, the owncloud repo), so I add their repo so sources.list and do an apt-update.

In order to make sure that the software apt downloads is trusted and unmodified, secureApt validates the distro against a set of GPG keys you've previously trusted. So, if you're to trust a third party repo you need to add their public key to your keyring.

However, owncloud, who use the OpenSUSE CDN, force you to download this release key via HTTP (because the CDN doesn't support HTTPS).

It seems to me that an attacker could MITM this connection and make you install their key. They could then get you to install their modified software, and you'd get no warning, because it would seem legit.

Have I missed something?