32

One of the easy ways to install a program in Ubuntu Linux is to type a command in the terminal, but how do I know that the program is coming from a trusted source and not from somewhere dangerous? For example, if I was installing ClamAV, how do I know ClamAV came from www.clamav.net or somewhere safe and not from a malicious source? I mean, a hacker can do something to redirect the command to make it get the software from a fake site, correct?

Henry WH Hack v3.0
  • 2,109
  • 2
  • 23
  • 37

2 Answers2

57

As with many well-designed systems, the package system of Debian has defense in depth: multiple layers, each of which can be verified.

  • How do we trust the package file is what the system promises? The hash value is computed and compared against the stored value.

  • How do we trust the hash value isn't accidentally matching some other file? Multiple hash algorithms are used, and only if all those match the stored values do we trust the content actually matches.

  • How do we trust the stored values are meant for the package file we downloaded? The hash values are downloaded in a separate file (the various Packages.* files) pre-computed automatically by the archive system.

  • How do we trust the downloaded Packages.* files are what is promised by the system? The hash value for each file is stored in a single Release file for the whole archive.

  • How do we trust that the Release file is what is promised by the system? The cryptographic signature is computed, and compared against the separately-downloaded pre-computed signature from the archive.

  • How do we trust the signatures stored in the archive are actually from the archive we expected? It is certified by an archive key which we can fetch independently from a separate URL, and is installed in the initial set-up of the operating system.

And so on. At some point in the chain you have to trust some part of (and party in) the system, on less-than-ideal evidence.

With the above layers, the low-evidence trust window can be kept small and easily-scrutinised. The one-way hashes, and cryptographic signatures, allow us to trust the mathematics to certify what follows in sequence.

The Debian wiki has a good, comprehensive description of how the APT system is secured.

Of course, many other things can go wrong by mistake or malice, and violate our assumptions about what is actually happening. As usual, the only persistent defense against possible attacks is: eternal vigilance.

bignose
  • 548
  • 4
  • 7
  • 3
    Nice answer! It would be even better if you could add some reference links. – Neil Smithline Dec 29 '15 at 02:03
  • 9
    It gets more complicated when problematic license terms prevent the packages from containing all the code they need and instead contain a script to download the rest of the code. – kasperd Dec 29 '15 at 17:22
  • 2
    I joined this community just to give you an upvote. Nice. – JonH Dec 29 '15 at 17:38
3

apt-get has a list of trusted gpg-keys. apt-get install downloads the packages from repository (mirror) servers, normally not the server of the author of the software. To ensure authenticity each package is signed with gpg. The package is only installed if the signature is trusted. So even in the case of a MITM-attack the signature-check will fail if the package is modified.

H. Idden
  • 2,988
  • 1
  • 10
  • 19
  • 1
    Most packages are not signed. See http://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/. – Neil Smithline Dec 28 '15 at 23:42
  • 1
    @NeilSmithline https://help.ubuntu.com/community/SecureApt seems to say otherwise? For me it also seems a more trustworthy source of information. From what I understand one of the difference between the 2 sites is, that packagecloud talks about packages signed by the developer and ubuntu.com talks about the the package list with the MD5-sums of all packages-files beeing signed by the repository. – H. Idden Dec 29 '15 at 00:10
  • 2
    @NeilSmithline - question is about Ubuntu not Debian. AFAIK all official Ubuntu packages are signed – paj28 Dec 29 '15 at 11:08
  • @paj28 doesn't Ubuntu ship Debian packages? Do they sign them before doing such? – Neil Smithline Dec 29 '15 at 16:16
  • @paj28 the packages sources are signed, binaries aren't. What is signed in the binaries are the repositories. – Braiam Dec 29 '15 at 16:28