1
I've been reading about why encryption is not normally deployed on the apt-get network activities. And learned that it checks the signature of the data that comes from the repo, right?
But now, how does this checking occurs? How is it done to be really safe? For example, if the file and the key are in the server and are sent in an unencrypted way, how would that work? Someone could modify both...
Thanks :)
6
At the root of an apt respository there is a Release file, which contains hashes of the various Contents, Release, and Packages files. The Packages files in turn have hashes of the individual .deb package files. At the same location as the root Release file, there is a Release.gpg file, which contains a GPG digital signature of the Release file, made with a private key belonging to the repository maintainers.
When apt-get downloads the Release file for a repository it will automatically attempt to verify the digital signature. If the public key from the key pair that the signature was made with is not registered on your system, you will be prompted to approve it; at this point you could contact the repository maintainers or a third party to verify that the public key is authentic by comparing fingerprints (or if you have an authentic copy of the public key you can add it with apt-key before you run apt-get.) After that, any files that apt-get downloads from the repository will be checked against their checksums in the Release or Packages files.
The hashes in the Release and Packages files are a normal data integrity feature of apt. The addition of the GPG signature is part of what debian calls SecureApt (see that link for more details).
rakslice
Posted 2015-10-22T06:02:38.247
Reputation: 2 276
Thanks for your answer @rakslice. So, let's see if I got it right. Everything is in the root of a repo right? The .deb's that we are wanting to install software are in the repo but not in the root, but the hashes and .gpg are... so, this private key must be checked against a public key, this one widely released and already included in a given distro (that being developers responsability?). So if the .gpg on the repo is modified it would not check. And in this case I would have to approve it (I guess the best should try another repo then and advise the other one to check this out?) – None – 2015-10-22T13:41:07.060
Can you clarify how this question is different from your other one, http://superuser.com/questions/990129/buntu-integrity-check? Thanks.
– fixer1234 – 2015-10-22T06:10:46.977Sure @fixer1234 :) In the other one I am asking if I am (or anyone is), particularly safe when downloading an iso file through torrent (because I never heard of someone modifying a torrent that a lot of users already have), and then getting, let's say, the md5sum from the actual website to check the downloaded iso. And that because I don't want to download from the site that dont use encryption and also get directly from there the verification checksum... And this one is about the specific check done on APT. :) – None – 2015-10-22T13:25:56.730
I decided to delete the other question because I remembered that in fact the distro cited was not the one from the question (as I was not sure at the moment. I even said that "as far as I remember". But then the correct memory came up :) Now... I guess this approach described above, when it's the only option, is a good one. That's relatively more safe... – None – 2015-10-22T16:39:44.940