Provide a known-good Ubuntu archive keyring instead of downloading it

'apt-key adv --recv-keys' does not perform any validation, so an attacker who can interfere with the network path could potentially substitute their own malicious keyring. Include a known-good copy from the ubuntu-archive-keyring package (version 2016.05.13-1 as provided by Debian) instead. Signed-off-by: Simon McVittie <smcv@collabora.com>
ValveSoftware · Oct 9, 2018 · 2cb0efb · 2cb0efb
1 parent 20db393
commit 2cb0efb
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 4 deletions.
diff --git a/setup_chroot.sh b/setup_chroot.sh
@@ -2,6 +2,7 @@
 
 SCRIPT=$(readlink -f "$0")
 SCRIPTNAME=$(basename "$SCRIPT")
+SCRIPT_DIR=$(dirname "$SCRIPT")
 LOGFILE=/tmp/${SCRIPTNAME%.*}-$(uname -i).log
 CHROOT_PREFIX="steamrt_scout_"
 CHROOT_DIR="/var/chroots"
@@ -83,12 +84,9 @@ build_chroot()
 	echo -e "\n${COLOR_ON}Creating /etc/schroot/chroot.d/${CHROOT_NAME}.conf...${COLOR_OFF}" 
 	printf "[${CHROOT_NAME}]\ndescription=Ubuntu 12.04 Precise for ${pkg}\ndirectory=${CHROOT_DIR}/${CHROOT_NAME}\npersonality=${personality}\ngroups=sudo\nroot-groups=sudo\npreserve-environment=true\ntype=directory\n" | sudo tee /etc/schroot/chroot.d/${CHROOT_NAME}.conf
 
-	# Add the Ubuntu GPG key to apt
-	sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0x40976EAF437D05B5
-
 	# Create our chroot
 	echo -e "\n${COLOR_ON}Bootstrap the chroot...${COLOR_OFF}" 
-	sudo -E debootstrap --arch=${pkg} --include=wget precise ${CHROOT_DIR}/${CHROOT_NAME} http://archive.ubuntu.com/ubuntu/
+	sudo -E debootstrap --arch=${pkg} --include=wget --keyring="${SCRIPT_DIR}/ubuntu-archive-keyring.gpg" precise ${CHROOT_DIR}/${CHROOT_NAME} http://archive.ubuntu.com/ubuntu/
 
 	# Copy over proxy settings from host machine
 	echo -e "\n${COLOR_ON}Adding proxy info to chroot (if set)...${COLOR_OFF}" 

diff --git a/ubuntu-archive-keyring.gpg b/ubuntu-archive-keyring.gpg