On Wed, Jan 27, 2021 at 10:23:44AM -0800, Ramin Doe wrote: > This lead me to search for more answers online, where I have found an > article that suggests that package metadata is verified, but that package > contents are not. > ([1]https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/) The signed metadata includes cryptographic checksums of the package contents. Thus, package contents can't be modified in storage on the mirror or in transit to your system without invalidating the checksum, and the checksums can't be updated in the repository metadata without invalidating the signature. > I do know that if I use "apt download" to download a .deb file, break it > apart (using ar and tar), make a change, and put it back together, I can > the use "apt install ./X.deb" to install it, even though I haven't updated > any security metadata in the .deb file. Removing "no-debsig" in dpkg.cfg > doesn't affect the outcome. That's correct; the validation happens during retrieval. Once the package is on your computer, you are free to tamper with it however you want. > And finally, it seems that even wikipedia says that package signatures > aren't being checked on most systems > ([3]https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages). That's correct; package validation is done as described above. You left out the part of the wikipedia article that states that "packages are verified by signing the repository metadata (i.e. Release files). The metadata files in turn include checksums for the repository files as a means to verify authenticity of the files." noah
Attachment:
signature.asc
Description: PGP signature