Termux-app: Use HTTPS for apt-get

+1 for https and good management of ssl certs

The historical reason that https is not used by default is to save space - on initial startup a couple of base packages are downloaded, and we want this to be as small as possible.

But perhaps this (avoiding installation ofapt-transport-https and its dependencies libcurl, openssl and libnghttp2 by default) is not a problem - it looks like around 2.5 MB of install size would be added, which is not that huge.

Switching to TLS would also fix problems with "helpful" caching proxies in addition to MITM attacks.

Switching to TLS would also fix problems with "helpful" caching proxies in addition to MITM attacks.

Are really there are such things? Can you give an example (link) for such a case, where a proxy does crappy things with apt packages?

+1

+1

+1
@rugk There are some proxies that do exist which cache anything not using secure encryption. A good Google search can find one (hopefully), or if that fails, maybe Wikipedia could actually be useful. Either way, if the content gets cached, and something manipulates the pointed-at data (which isn't impossible), the proxy would send us the invalid data.
Best thing that could happen: Our client program requests it and eventually gives up.
Worst things that could happen include: A corrupt apt package, irreparable termux install, or even a compromized device (for rooted users that have Termux always given permission instead of asked each time it invokes the su' binary... which I suggest everyone who uses Termux and is rooted to set Termux'ssu' ability to Always ask / Ask each time until at least this is given a fix and pushed out to the userbase).

@like2omg Note that the packages are already signed with gpg and validated before install - see secure apt. This means that the package manager will never install packages that have been modified, since an attacker cannot sign these modified packages with a trusted key.

@fornwall Thank you for clarifying for me (one who never could even understand how compiling applications worked, much less understand what seemed like a very simple change I did to a foreign programming language's code (C or C++) caused so much of a problem to the end result's executable)
... I need to broaden my knowledge of languages (RANT? and find out where exactly to look for help when using Cygwin as nobody seems to have the answers of all the required packages for both, the creators of the program and Cygwin devs as well.... doesn't help that my only good system, dual boot Windows/Linux, has a hissy fit with my touchscreen on Linux when it tries to read it while Windows has no issues at all (something about the amount of "frames" being wrong, rounds down, disconnects it, tries yet again))

+1

This is now finally in place - the Termux packages are installed over https by default for new installations!

Existing users need to update their system by running pkg up to update to the 1.4.8 version of the apt package where https by default is enabled.

Could this be the cause of these pubkey errors? I updated apt and others successfully, then went to install a new package, and got these.

Welcome to Termux!

Wiki:            https://wiki.termux.com
Community forum: https://termux.com/community
IRC channel:     #termux on freenode
Gitter chat:     https://gitter.im/termux/termux
Mailing list:    [email protected]

Search packages:   pkg search <query>
Install a package: pkg install <package>
Upgrade packages:  pkg upgrade
Learn more:        pkg help
0|localhost/1:~$ pkg up
Hit:1 https://termux.net stable InRelease
Hit:2 https://its-pointless.github.io/files termux InRelease
Get:3 https://xeffyr.github.io/termux-x-repository termux InRelease [2040 B]
Err:2 https://its-pointless.github.io/files termux InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 906F5AFA9A32C72D
Err:3 https://xeffyr.github.io/termux-x-repository termux InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 45F2964132545795
Fetched 2040 B in 2s (1000 B/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://its-pointless.github.io/files termux InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 906F5AFA9A32C72D
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://xeffyr.github.io/termux-x-repository termux InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 45F2964132545795
W: Failed to fetch https://its-pointless.github.io/files/dists/termux/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 906F5AFA9A32C72D
W: Failed to fetch https://xeffyr.github.io/termux-x-repository/dists/termux/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 45F2964132545795
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
0|localhost/1:~$

Is this a problem with these other repos?
@its-pointless @xeffyr

@Quasic , my pubkey does not have errors.
Perhaps, you just missed this step:

wget https://xeffyr.github.io/termux-x-repository/pubkey.gpg
apt-key add pubkey.gpg

@xeffyr @Quasic last apt update before this one also removed any imported keys, so it seems like the keys need to be re-imported on updates

The update script could be smother. I had difficulty using the options to decide what to do with the new sources file. In the end pkg up needed to be run twice to complete the update. @Quasic you probably wrote over your old sources file. How is reimporting the keys working for you?

Great job by the way; Thank you. I was eagerly waiting for https://termux.net/ to go online; It finally did. Congratulations!

@Grimler91 A similar grep function to the one in addbash_profile () from https://raw.githubusercontent.com/sdrausty/TermuxArch/master/scripts/files/stable/archsystemconfigs.sh can solve

last apt update before this one also removed any imported keys

cat with grep can parse existing configuration files and remove the lines that want substitution. The updated configuration line(s) can then be merged with the old, creating a new configuration file on-the-fly.

Ah, thanks, I just found apt-key list, and the keys were missing. @xeffyr's fix worked. I think its-pointless has his listed in manual install instructions, so I think I'll be good soon. I left the sources.list file alone and used the directory instead:

0|localhost/0:/data/data/com.termux/files/usr/etc/apt/sources.list.d$ ls
pointless.list  xeffyr.list

EDIT: I still have the old keys. They still work, too. I guess it uses a common key file that is overwritten.