Re: Does net install cryptographically verify downloaded data?

To: Georgi Guninski <guninski@guninski.com>
Cc: debian-security@lists.debian.org
Subject: Re: Does net install cryptographically verify downloaded data?
From: Konstantin Khomoutov <kostix@bswap.ru>
Date: Thu, 5 Jul 2018 13:20:42 +0300
Message-id: <[🔎] 20180705102042.uro6jt6dhbnwhlws@tigra>
In-reply-to: <20180705090228.x35d7uaugd7omy2l@sivokote.iziade.m$>
References: <20180705090228.x35d7uaugd7omy2l@sivokote.iziade.m$>

On Thu, Jul 05, 2018 at 12:02:28PM +0300, Georgi Guninski wrote:

> Does net install cryptographically verify downloaded data?
> 
> Searching the iso for gpg/keyrings didn't return any results for me.

Sorry, sent too fast, so missed two crucial bits:

 - The net install image contain a minimal set of packages to
   "bootstrap" the installation from. This includes the package which
   installs the keys used to sign the Release files in the Debian
   archive which will be used by the netinstall process.

 - While individual packages are signed, APT actually verifies that
   the Release file it obtained from the archive has correct signature
   and. The Release file contains the checksums of the Packages files,
   which contain the checksums of the individual packages.

   Hence the validity of the signature of the Release file authenticates
   the individual packages indirectly - via checksumming.

Reply to:

References:
- Does net install cryptographically verify downloaded data?
  - From: Georgi Guninski <guninski@guninski.com>

Prev by Date: Does net install cryptographically verify downloaded data?
Next by Date: Re: Does net install cryptographically verify downloaded data?
Previous by thread: Does net install cryptographically verify downloaded data?
Next by thread: Re: Does net install cryptographically verify downloaded data?
Index(es):
- Date
- Thread