9

As with a large amount of open-source softwares, (Debian, Eclipse, PHP) you can apply to become a mirror of their site/downloads. I fully understand that this helps them with bandwidth and distribution.

However, what stops people uploading malicious copies of the software to their mirror?

I know some sites offer MD5/SHA1 hashes of the download, to ensure your download is valid, however does anyone without a tinfoil hat actually check these?


TL;DR

If I download an ISO from http://www.debian.org/distrib/ how do I know it's legit?

Ben Poulson
  • 453
  • 3
  • 15

1 Answers1

13

Package managers such as aptitude which is used on Debian implement GPG keys to authenticate the package. The Debian install will come with the public key of the package signer, which is then checked before installing downloaded packages.

Sometimes you'll find you end up with an error if this process fails:

W: GPG error: http://www.debian-multimedia.org etch Release: The following signatures couldn't be verified because teh public key is not available: NO_PUBKEY 07DC563D1F41B907
W: You may want to run apt-get update to correct these problems

You can see more details about the solution, called SecureApt, here: https://wiki.debian.org/SecureApt

To address your revision regarding the downloading of installer CD images:

Yes, multiple mirrors exist and one of the primary delivery methods (HTTP) is vulnerable to a MITM attack which could modify the image in such a way as to make your installer contain a rootkit. However, unlike updating packages, installing the base system is a much less frequent event.

Manual PGP protections are also in place for the CD images. Firstly, all disc images on the mirrors should provide MD5 and multiple SHA hashes for every image. These hash files are themselves signed by Debian to ensure they also cannot be forged on a mirror site.

Before downloading the ISO, verify the integrity of the SHA256 or SHA512 (most secure) using for example gpg.

gpg --verify SHA512SUMS.sign SHA512SUMS

This will give you an error if you don't currently have the public key the file was signed with. In that case check the signature given and compare it against the trusted keys on Debian's website: http://www.debian.org/CD/verify

This is the most important part of verification, because integrity of the hash file revolves around the integrity of the key you trust.

Once you've verified an appropriate key, install it in your keychain like so:

gpg --recv-key --keyserver subkeys.pgp.net LAST8CHARSOFFINGERPRINT. This fetches a key matching the signing key's fingerprint from a server.

Finally, gpg --verify SHA512SUMS.sign SHA512SUMS should now tell you whether the hash file is authentic. If it is, you can safely compare the result of your sha512 chosen.iso with what's in the sums file.

Naturally this all assumes you run these commands from a trusted computer, where sha512 and gpg are unaltered by an attacker.

YPMV (your paranoia may vary).

deed02392
  • 4,038
  • 1
  • 18
  • 20
  • 2
    This also means that even if the packages are distributed over HTTP a MITM attack would be fruitless – Andy Smith Mar 12 '14 at 14:35
  • 1
    OP gives an example about an ISO. .md5 or .sha files are usually just there on plain HTTP or FTP (for people that actually do the checks). In that case you don't really know. – domen Mar 18 '14 at 16:59
  • @domen that was added after my answer. Now see edit. – deed02392 Mar 19 '14 at 09:34
  • 1
    Signatures of trusted keys are on HTTP, so you've just added one more step for an attacker. (Yes, I know, that site also exists on HTTPS) – domen Mar 19 '14 at 14:50
  • That is just one location you can find them. They are also available on public key servers (where other users will sign them). If HTTPS is available, then use it. That adds more than one step. – deed02392 Mar 19 '14 at 19:48