Integrate GPG signing for Debian repository to prevent package injection attacks

CONTRIBUTING.md

@@ -57,19 +57,48 @@ aptly repo create -config=aptly.conf -component=main -distribution=stable log4tc
 # add deb packages to the repository
 aptly repo add -config=aptly.conf log4tc *.deb
 
-# publish the repository to a local directory
-aptly publish repo -config=aptly.conf -architectures="amd64,arm64" -skip-signing log4tc
+# Generate GPG key for signing (one-time setup)
+cat >gpg-batch <<EOF
+%echo Generating GPG key for log4TC repository
+Key-Type: RSA
+Key-Length: 4096
+Subkey-Type: RSA
+Subkey-Length: 4096
+Name-Real: log4TC Package Repository
+Name-Email: packages@log4tc.mbc-engineering.com
+Expire-Date: 0
+%no-protection
+%commit
+%echo done
+EOF
+gpg --batch --generate-key gpg-batch
+
+# Get the GPG key ID
+export GPG_KEY_ID=$(gpg --list-keys --with-colons packages@log4tc.mbc-engineering.com | grep '^pub' | cut -d':' -f5)
+
+# publish the repository to a local directory with GPG signing
+aptly publish repo -config=aptly.conf -architectures="amd64,arm64" -gpg-key="$GPG_KEY_ID" log4tc
+
+# Export the public key for distribution
+mkdir -p repo/public
+gpg --armor --export packages@log4tc.mbc-engineering.com > repo/public/log4tc-archive-keyring.gpg
+
+# Copy public key to the published directory for easy access
+cp repo/public/log4tc-archive-keyring.gpg repo/public/dists/stable/
 
 # The contents of the public directory can then be copied to the gh-pages branch of the github repository
-cp -r /root/.aptly/public/* /tmp/deb/
+cp -r repo/public/* /tmp/deb/
 
-# Now you can add following line to apt /etc/apt/sources.list.d/log4tc.list:
-# deb https://mbc-engineering.github.io/log4TC/deb/ stable main
+# To use the repository, first download and install the GPG key:
+# wget -qO- https://mbc-engineering.github.io/log4TC/deb/log4tc-archive-keyring.gpg | sudo tee /etc/apt/trusted.gpg.d/log4tc-archive-keyring.gpg > /dev/null
+
+# Then add the repository to apt /etc/apt/sources.list.d/log4tc.list:
+# deb [signed-by=/etc/apt/trusted.gpg.d/log4tc-archive-keyring.gpg] https://mbc-engineering.github.io/log4TC/deb/ stable main
 
 # or in the new format /etc/apt/sources.list.d/log4tc.sources:
 # Types: deb
 # URIs: https://mbc-engineering.github.io/log4TC/deb
 # Suites: stable
 # Components: main
-# Trusted: yes
+# Signed-By: /etc/apt/trusted.gpg.d/log4tc-archive-keyring.gpg
 ```

azure-pipelines-release.yml

@@ -226,12 +226,40 @@ stages:
               echo 'Install aptly'
               sudo apt-get install -qq -y aptly gnupg
 
+              echo 'Generate GPG key for signing the repository'
+              cat >gpg-batch <<EOF
+              %echo Generating GPG key for log4TC repository
+              Key-Type: RSA
+              Key-Length: 4096
+              Subkey-Type: RSA
+              Subkey-Length: 4096
+              Name-Real: log4TC Package Repository
+              Name-Email: packages@log4tc.mbc-engineering.com
+              Expire-Date: 0
+              %no-protection
+              %commit
+              %echo done
+              EOF
+
+              gpg --batch --generate-key gpg-batch
+
+              echo 'Configure GPG key for aptly'
+              export GPG_KEY_ID=$(gpg --list-keys --with-colons packages@log4tc.mbc-engineering.com | grep '^pub' | cut -d':' -f5)
+              echo "Using GPG Key ID: $GPG_KEY_ID"
+
               echo 'add deb packages to the repository'
               aptly repo add -config=aptly.conf log4tc $(Pipeline.Workspace)/log4TC-deb/*.deb
 
-              echo 'publish the repository to a local directory'
-              aptly publish repo -config=aptly.conf -architectures="amd64,arm64" -skip-signing log4tc
+              echo 'publish the repository to a local directory with GPG signing'
+              aptly publish repo -config=aptly.conf -architectures="amd64,arm64" -gpg-key="$GPG_KEY_ID" log4tc
 
+              echo 'Export public key for distribution'
+              mkdir -p repo/public
+              gpg --armor --export packages@log4tc.mbc-engineering.com > repo/public/log4tc-archive-keyring.gpg
+
+              echo 'Copy public key to the published directory for easy access'
+              cp repo/public/log4tc-archive-keyring.gpg repo/public/dists/stable/
+
               echo 'The contents of the public directory can then be copied to the staging area'
               cp -r repo/public/ $(Build.ArtifactStagingDirectory)/deb/
             displayName: 'update deb repository with aptly to staging area'

docs/reference/installation.md

@@ -74,9 +74,14 @@ Starten sie das setup erneut mit der Kommandozeile ausgeführt als Administrator
 
 1. Hinzufügen des log4TC sources in apt sources listen:
 
+Zuerst den GPG-Schlüssel herunterladen und installieren:
+```bash
+wget -qO- https://mbc-engineering.github.io/log4TC/deb/log4tc-archive-keyring.gpg | sudo tee /etc/apt/trusted.gpg.d/log4tc-archive-keyring.gpg > /dev/null
+```
+
 **Legacy list format** `/etc/apt/sources.list.d/log4tc.list`:
 ```bash
-deb https://mbc-engineering.github.io/log4TC/deb stable main
+deb [signed-by=/etc/apt/trusted.gpg.d/log4tc-archive-keyring.gpg] https://mbc-engineering.github.io/log4TC/deb stable main
 ```
 
 **New format** `/etc/apt/sources.list.d/log4tc.sources`:
@@ -85,8 +90,7 @@ Types: deb
 URIs: https://mbc-engineering.github.io/log4TC/deb
 Suites: stable
 Components: main
-# there is no GPG key available, so we mark the repository as trusted
-Trusted: yes
+Signed-By: /etc/apt/trusted.gpg.d/log4tc-archive-keyring.gpg
 ```
 
 2. Aktualisieren der apt package listen: