[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Joey Hess <joeyh@debian.org> writes:

> Andreas Metzler wrote:
> > I still don't understand how you change the version number (or the
> > package-name) without breaking the signature.
> 
> Which signature? The Packages file is being modified, so of course the
> hain of trust back to the Release file signature can be used to catch
> tampering with it. However, the signature in a deb itself cannot help
> against this kind of attack.
> 
> -- 
> see shy jo

Lets test this. First lets just fake the version:

% sudo apt-get install moon-buggy
Reading Package Lists... Done
Building Dependency Tree... Done
The following packages will be upgraded
  moon-buggy
1 upgraded, 0 newly installed, 0 to remove and 390 not upgraded.
Need to get 145kB of archives.
After unpacking 0B of additional disk space will be used.
Get:1 ftp://localhost sid/main moon-buggy 1.5.53-5.0.0.1 [145kB]
Fetched 145kB in 0s (300kB/s)
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 78663 files and directories currently installed.)
Preparing to replace moon-buggy 0.5.53-5.0.0.1 (using .../moon-buggy_1.5.53-5.0.0.1_i386.deb) ...
Unpacking replacement moon-buggy ...
Setting up moon-buggy (0.5.53-5.0.0.1) ...
                       ^^^^^^^^^^^^^^

One probably wouldn't notice that.

Now a different package name too:

% sudo apt-get install moon-buggy2
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
  moon-buggy2
0 upgraded, 1 newly installed, 0 to remove and 390 not upgraded.
Need to get 145kB of archives.
After unpacking 238kB of additional disk space will be used.
Get:1 ftp://localhost sid/main moon-buggy2 1.5.53-5.0.0.1 [145kB]
Fetched 145kB in 0s (331kB/s)
Reading changelogs... Done
Preconfiguring packages ...
Selecting previously deselected package moon-buggy.
(Reading database ... 78645 files and directories currently installed.)
Unpacking moon-buggy (from .../moon-buggy2_1.5.53-5.0.0.1_i386.deb) ...
dpkg: error processing moon-buggy2 (--configure):
 no package named `moon-buggy2' is installed, cannot configure
Errors were encountered while processing:
 moon-buggy2
E: Sub-process /usr/bin/dpkg returned an error code (1)

% sudo dpkg -i pool/main/m/moon-buggy/moon-buggy2_1.5.53-5.0.0.1_i386.deb
(Reading database ... 78663 files and directories currently installed.)
Preparing to replace moon-buggy 0.5.53-5.0.0.1 (using .../moon-buggy2_1.5.53-5.0.0.1_i386.deb) ...
Unpacking replacement moon-buggy ...
Setting up moon-buggy (0.5.53-5.0.0.1) ...

Renaming a deb seems out of the question when using apt but not with
dpkg directly. dpkg ignores the filename so thats no surprise and as
it should be.


But this kind of tampering _can_ be checked by apt before installing
the deb simply by adding a signature verifyer into the
DPkg::Pre-Install-Pkgs config option, the same mechanism
apt-listchanges already uses to display only the new section of the
changelog.

MfG
        Goswin
Reply to: