[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Study: Attacks on package managers (inclusing apt)

Russ Allbery <rra@debian.org> writes:

> Michael Stone <mstone@debian.org> writes:
>> On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote:
>>> But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
>>> and not only on a master, the various .gpg files and packages can, even
>>> though difficult, be modified on the single mirror.  IMHO, verification
>>> needs to have an alternate channel than the downloads.
>> If someone can modify gpg signatures we have a bigger problem that can't
>> be solved by any solution proposed thus far.
> You have to make sure the Release.gpg and Timestamp.gpg files are linked
> in some fashion, or the fake mirror will just update its Timestamp.gpg
> file from the real mirror regularly while leaving all other files the
> same.

Timestamp.gpg would be the signature for Release just like Release.gpg

> In the debian-devel thread, the proposal was to instead resign Release.gpg
> and rely on the timestamp of its signature, which I think is a cleaner and
> simpler solution.

That would require the signing key to be online. For stable and
possibly security an offline key for manual signing is strongly


PS: Instead of a timestamp.gpg the Release.gpg you have 2
signatures. One fixed manual one by the release team and one daily
automatic one by the automatic archive key.

Reply to: