We switched from a publicly accessible reprepro Debian package repository (which was powered by an Apache web server) to the Sonatype Nexus Repository OSS, which is great piece of software. But we ran into one problem: When someone uploads a Debian package it's signed on the Nexus server, which we expose to our customers/the internet. In addition, the GPG key and passphrase is known to Nexus for package signing.
Or in other words: I am afraid of a similar situation like the SolarWinds supply chain attack. Scenario: Person attacks the publicly accessible Nexus server/Nexus itself, takes over Nexus, changes existing packages and resigns them with the GPG key/GPG passphrase. Then, malicious code is served to our customers.
I thought about exposing the file blob store directory as read only target to a publicly exposed web server and keep Nexus company internal. Sadly the internal file blob store layout is different, so that's not possible.
So my questions:
Is there a good way to expose the the blob storage in a Deb/RPM/Docker/etc. compatible format which can be served by a more protected, publicly accessible Apache server and consumed by tooks like dpkg/yum/dnf/Docker etc?
I also thought about a second read only Nexus server which is rsync'ed every 10 minutes or so. An attacker would then take over this server, but the package signing check (At least for DEB/RPM) prevents installation of the tampered package
Use an Apache reverse proxy with certificate based authentication (I guess the most secure but complex solution)
But maybe there is already such a feature/another way and I just missed it in the documentation?
In the end we came up with several steps to minimize the risk: