Does the built-in apt
package manager in Debian-based systems require successful cryptographic authentication and integrity validation for all packages?
My understanding was that software downloaded with apt-get
packages would be cryptographically verified because the repo would sync pgp-signed manifest files on apt-get update
.
However, I stumbled on an article today that suggested that unsigned packages are accepted by default on all major Debian-based Operating Systems by the contents of /etc/dpkg/dpkg.cfg
root@disp2019:~# cat /etc/dpkg/dpkg.cfg
# dpkg configuration file
#
# This file can contain default options for dpkg. All command-line
# options are allowed. Values can be specified by putting them after
# the option, separated by whitespace and/or an `=' sign.
#
# Do not enable debsig-verify by default; since the distribution is not using
# embedded signatures, debsig-verify would reject all packages.
no-debsig
# Log status changes and actions to a file.
log /var/log/dpkg.log
root@disp2019:~#
Indeed, this does not look good.
Do Operating Systems with apt
require valid signatures from a pinned set of keys stored to the apt-key
keyring on all packages by default? Or are these signatures just treated as optional by default?