Re: Study: Attacks on package managers (inclusing apt)
Russ Allbery <email@example.com> writes:
> Michael Stone <firstname.lastname@example.org> writes:
>> On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote:
>>> But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
>>> and not only on a master, the various .gpg files and packages can, even
>>> though difficult, be modified on the single mirror. IMHO, verification
>>> needs to have an alternate channel than the downloads.
>> If someone can modify gpg signatures we have a bigger problem that can't
>> be solved by any solution proposed thus far.
> You have to make sure the Release.gpg and Timestamp.gpg files are linked
> in some fashion, or the fake mirror will just update its Timestamp.gpg
> file from the real mirror regularly while leaving all other files the
Timestamp.gpg would be the signature for Release just like Release.gpg
> In the debian-devel thread, the proposal was to instead resign Release.gpg
> and rely on the timestamp of its signature, which I think is a cleaner and
> simpler solution.
That would require the signing key to be online. For stable and
possibly security an offline key for manual signing is strongly
PS: Instead of a timestamp.gpg the Release.gpg you have 2
signatures. One fixed manual one by the release team and one daily
automatic one by the automatic archive key.