[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is packages build without verifying the source package signatures?



On Sat, 2017-12-02 at 12:15 +0100, Davide Prina wrote:
> If I don't mistake the automatic package build system don't require
> that the source signature is verified correctly.
[...]
> So it don't have the public key (?) and so it don't check the
> package  signature. But the package is build successfully... and
> signed.
> 
> If an attacker change the source and package it with a wrong private 
> key, it can have his "patch" applied to the signed binary packages?

The packages that the buildds are building come from the Debian
archives, where the software that accepts uploads verifies the
signatures on the uploads. The metadata for the upload queues is also
GPG-signed by the archive software.

So, no, in practice it's not feasible for the attacker to inject
packages outside of the trust structure without already having
compromised some other part of the infrastructure.

Regards,

Adam


Reply to: