Update install docs for https urls

[jodh-intel]

All the installation guides that specify OBS URLS...

• https://github.com/kata-containers/documentation/tree/master/install
• https://github.com/kata-containers/documentation/tree/master/install/docker

... currently specify http URLs along with the following warning:

Note: This installation channel is not secure since the repository currently redirects download URLs to http.

This is now very close to being fully resolved as download URLs for Ubuntu, Fedora, RHEL and CentOS all correctly redirect from https -> https fwics:

However, we're still waiting for OpenSuSE and SLES to be updated - see #83 (comment).

Once this is done, we can do the following to all the install docs:

• Update the OBS URLs from http to https.
• Remove the warning.

/cc @adrianschroeter, @vrothberg.

[jodh-intel]

@adrianschroeter, @vrothberg - Maybe it was some sort of propagation issue, but it's now working for me for SLES and OpenSuSE!

[robcresswell]

Is this still an issue? I was looking to try out Kata but any http URL is, unfortunately, a complete blocker.

[jodh-intel]

Hi @robcresswell - According to @adrianschroeter this is not something OBS can control as anyone can be an OBS mirror. If you get lucky, you can download the packages via an end-to-end https channel but that cannot be guaranteed unless you configure your system to use a known OBS mirror that uses https.

@adrianschroeter / @vrothberg - could you maybe give an example of a well-known OBS mirror that uses https along with basic instructions for how users might configure their systems to "pin" a package manager to use that mirror only? Alternatively, if there is a doc you could reference?

/cc @egernst, @jcvenegas, @bergwolf, @sboeuf, @grahamwhaley, @marcov.

[robcresswell]

Ah, I understand; happy to do some digging if someone could start me off on the right track.

[marcov]

Is this still an issue? I was looking to try out Kata but any http URL is, unfortunately, a complete blocker.

Hi @robcresswell, if you are concerned about http being vulnerable to MITM attacks, that should not be an issue as the repository metadata and all package are signed with GPG.

(Speaking for SUSE distros), After you added the kata repository, when refreshing the repository metadata you should be prompted with this:

New repository or package signing key received:    
                                                        
  Repository:       kata-official                      
  Key Name:         home:katacontainers OBS Project <home:katacontainers@build.opensuse.org>
  Key Fingerprint:  9FDC0CB6 3708CF80 3696E2DC D0B37B82 6063F3ED
  Key Created:      Tue 12 Jun 2018 07:35:26 AM CEST
  Key Expires:      Thu 20 Aug 2020 07:35:26 AM CEST
  Rpm Name:         gpg-pubkey-6063f3ed-5b1f5b9e        
                                                            
                                                  
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r):

If you recognize that key fingerprint as valid, then you can trust packages installed even when using http.

For the geeks, some more handful commands to check GPG keys:

# Show the RPM signing key trusted on your system:
rpm -qa "gpg-pubkey*" --qf "%{version}-%{release} %{summary}\n"

# Get the GPG public key for the home:katacontainers project on OBS:
osc signkey home:katacontainers > kata.pub

# Get the key fingerprint:
gpg --import --import-options show-only kata.pub

[marcov]

@adrianschroeter / @vrothberg - could you maybe give an example of a well-known OBS mirror that uses https along with basic instructions for how users might configure their systems to "pin" a package manager to use that mirror only? Alternatively, if there is a doc you could reference?

Hi @jodh-intel, pinning to a specific mirror is not suggested, as in the end mirrors "come and go", and having a mirror brain taking care of redirecting to the closest mirror has its advantages.

Here's the list of all openSUSE mirrors: https://mirrors.opensuse.org/

• This, for example, this is one mirror with HTTPS: https://ftp.gwdg.de/pub/opensuse/
• While this is a HTTP-only mirror: https://mirror.onet.pl/pub/mirrors/opensuse/

Using a HTTPS mirror directly is straightforward, just specify its URL in place of the generic download.opensuse.org.
E.g. for the HTTPs mirror above: https://ftp.gwdg.de/pub/opensuse/repositories/home:/katacontainers:/release/

[robcresswell]

@marcov That makes sense; apologies for my rash demand for https. Thanks for the pointers.

[jodh-intel]

Thanks for the information @marcov!

@robcresswell - hope you can now give Kata a spin? 😄

[robcresswell]

100%. Thanks for the help.

[jcvenegas]

@jodh-intel @marcov so can we replace the warning for a note, saying that despite of the http is used the respository should be ok because uses gpg checks?

[marcov]

@jcvenegas I would do the following:

1. Add somewhere in the installation instructions the public key fingerprint / value as a reference.
2. Say the users they need to verify that, when adding a repo in their distros, the fingerprint value prompted matches the one published.
3. As you said, remove the warning notice about HTTP being insecure.

I can take care of updating the docs if you want.

PS: the reference pubkey / fingerprint value must be on a trusted HTTPS domain.

[jodh-intel]

That sounds good @marcov and thanks for offering to update the docs! :)

[jodh-intel]

On the topic of http vs. https... https://justi.cz/security/2019/01/22/apt-rce.html:

• https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3462.html

[marcov]

Interesting reading.
If that is something concerning, an option would be to set up a file server to distribute kata packages over HTTPS, instead of relying on the OBS default one.