2

Does the built-in apt package manager in Debian-based systems require successful cryptographic authentication and integrity validation for all packages?

My understanding was that software downloaded with apt-get packages would be cryptographically verified because the repo would sync pgp-signed manifest files on apt-get update.

However, I stumbled on an article today that suggested that unsigned packages are accepted by default on all major Debian-based Operating Systems by the contents of /etc/dpkg/dpkg.cfg

root@disp2019:~# cat /etc/dpkg/dpkg.cfg
# dpkg configuration file
#
# This file can contain default options for dpkg.  All command-line
# options are allowed.  Values can be specified by putting them after
# the option, separated by whitespace and/or an `=' sign.
#

# Do not enable debsig-verify by default; since the distribution is not using
# embedded signatures, debsig-verify would reject all packages.
no-debsig

# Log status changes and actions to a file.
log /var/log/dpkg.log
root@disp2019:~#

Indeed, this does not look good.

Do Operating Systems with apt require valid signatures from a pinned set of keys stored to the apt-key keyring on all packages by default? Or are these signatures just treated as optional by default?

Michael Altfield
  • 826
  • 4
  • 19

1 Answers1

3

There are two types of cryptographic validation here:

  • Apt supports that each developer signs the package with its own key, and to validate that on package install. This is what this file refers to and is not used (currently) by Debian, Ubuntu, etc.

  • The repository manifest is cryptographically signed with a repository key (see apt-secure(8)) and that validates the referred packages. That is used by all of them.

So, there is a cryptographic validation, just not the one that file refers to.

Ángel
  • 17,578
  • 3
  • 25
  • 60