1

Some .deb packages, as Google SW, for example, install PGP keys and add their own software repository during installation.

Question: How can I prevent .deb packages from installing PGP keys and update the sources list?

Trudy
  • 854

1 Answers1

2

Unfortunately there is no generic way to prevent packages from installing keys or adding repositories.

If the packages ship the corresponding files in their target locations, you can exclude them by adding

path-exclude=/etc/apt/sources.list.d/*
path-exclude=/etc/apt/trusted.gpg.d/*

but the second line above will also disable key updates from distribution packages.

This won’t work at all with packages such as Google’s, since they install their keys and repositories from the packages’ maintainer scripts. In Google’s case, the packages even install a cronjob to take care of things (although as far as I can tell, it will avoid restoring a repository if the administrator deletes it).

Stephen Kitt
  • 434,908
  • Would it be still possible with Firejail or Apparmor confinements? – Trudy May 07 '21 at 11:49
  • @Trudy if by “it” you mean forbidding packages from installing keys and repositories, confinements wouldn’t add more possibilities: while it would be possible to deny access to the relevant directories, again it would be difficult to distinguish official packages from third-party packages, and the denial would be reported as an error, causing packaging installations and upgrades to fail. – Stephen Kitt May 07 '21 at 13:10
  • Isn't it possible to run firejail with a different profile when additional restrictions are needed? Isn't it possible to create different profiles e.g. for Synaptic, which is used for installations from the official repositories, and e.g. for dpkg, which is used for third-party packages? – Trudy May 10 '21 at 06:54
  • Synaptic runs dpkg behind the scenes... – Stephen Kitt May 10 '21 at 07:02
  • This shall not be a blocker at all. Apparmor profiles can instruct how the utilities are executed "behind the scenes". I am not sure about Firejail. Even if Firejail doesn't allow the same granularity, it has an option for selecting profiles from the command line, – Trudy May 10 '21 at 07:07
  • 1
    OK, but I’m not sure how profiles help with the problems caused by the restrictions. If you restrict for example Google’s packages to prevent them from writing to /etc/apt, their installation will fail at the configuration stage; if you don’t do anything to complete the installation at that point, the next time a packaging operation needs to configure anything, the configuration of the failed Google packages will run again, under the profile that’s active at that point. – Stephen Kitt May 10 '21 at 07:11
  • Yes, I was thinking of that too, but e.g. Firejail allows creating a tmpfs that is destroyed after the confined application is complete. I was thinking that it may be possible to make Firejail creating the temporary /etc/apt that will get deleted afterwards. – Trudy May 10 '21 at 07:19
  • 1
    Ah, OK, that sounds like it should work! – Stephen Kitt May 10 '21 at 07:26