[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: https for apt to prevent man in middle transparent proxy mirror attacks?

On Wed, Jun 09, 2004 at 07:15:21AM -0700, Karl Hegbloom wrote:
> On Wed, 2004-06-09 at 16:08 +0200, Federico Di Gregorio wrote:
> > maybe i simply don't understand, but isn't Packages file signing done
> > exactly to avoid such an attack?
> 
> Can you please explain how that works?

Well I just took a five second glance at a mirror site and worked it out
as follows:

/debian/pool/main/ contains packages;

/debian/dists/sarge/main/binary-<arch>/Packages contains the list of
packages include md5sums;

/debian/dists/sarge/Release contains the md5sums of all of the
binary-<arch>/Packages files;

/debian/dists/sarge/Release.gpg contains a detached signature for
/debian/dists/sarge/Release.

Hence you verify the GPG signature for the top-level release file and
follow the md5sums from there. Simple.

Hamish
-- 
Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>
Reply to: