[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Checking Signatures and Checksums

In the Debian Weekly News of 2001/03/14
Joey Hess wrote:

  For years we've known that Debian's means of getting packages and
  releases out to users is lacking from a security standpoint.
  There has been no way to know that the package you just downloaded
  was really made by a Debian developer and is really a part of a
  current Debian release. This is rapidly changing, and soon users
  will have two complementary ways to verify that they are installing
  legitimate packages. This week a patch was posted to the debian-dpkg
  list that adds support to dpkg for checking signatures of Debian
  packages. The signatures are held in a new section of the package
  itself, and tools are entering Debian now to add and check such
  signatures. This type of package signing parallels similar
  techniques that have been present in the rpm world for a long time,
  and they are a welcome addition to dpkg, but their usefulness should
  not be over-emphasized. 

  Signed packages alone still leave open several avenues of attack.
  Various evil things can be done to the Packages file, or by tricking
  apt into downloading an old and insecure package. Closing off these
  attacks requires another layer of security -- signed releases.
  Already Release.gpg files are appearing on the archive, and apt will
  soon be able to verify these signatures when it upgrades a Debian
  system. In the final analysis, neither of these schemes guarantees
  absolute security, but they will make attacks much harder for the
  black hats, and perhaps by the time woody is released, both types of
  signatures will be widely available. 

I understand that, the checking of package signatures has been
integrated into dpkg, as of version 1.9.21.

According to "Securing Debian Manual - Package Signing in Debian",
the second (and, arguably, more important [if only because not all
packages are signed but all packages have a checksum]) security
measure mentioned above ("signed releases") is yet to be integrated.

The manual also gives a script, by Anthony Towns, that can be used in
the mean time. However, this script appears to be usable only in
conjunction with apt-get.

My question is this: Is there another script (for verifying signed
releases) that can be used in conjunction with dselect?
(Yes, there are people who prefer to use dselect over apt-get!)


Reply to: