[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG verification of apt packages

On Wed, Jan 27, 2021 at 10:23:44AM -0800, Ramin Doe wrote:
>    This lead me to search for more answers online, where I have found an
>    article that suggests that package metadata is verified, but that package
>    contents are not.
>    ([1]https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/)

The signed metadata includes cryptographic checksums of the package
contents.  Thus, package contents can't be modified in storage on the
mirror or in transit to your system without invalidating the checksum,
and the checksums can't be updated in the repository metadata without
invalidating the signature.

>    I do know that if I use "apt download" to download a .deb file, break it
>    apart (using ar and tar), make a change, and put it back together, I can
>    the use "apt install ./X.deb" to install it, even though I haven't updated
>    any security metadata in the .deb file. Removing "no-debsig" in dpkg.cfg
>    doesn't affect the outcome.

That's correct; the validation happens during retrieval.  Once the
package is on your computer, you are free to tamper with it however you

>    And finally, it seems that even wikipedia says that package signatures
>    aren't being checked on most systems
>    ([3]https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages).

That's correct; package validation is done as described above.  You left
out the part of the wikipedia article that states that "packages are
verified by signing the repository metadata (i.e. Release files).  The
metadata files in turn include checksums for the repository files as a
means to verify authenticity of the files."


Attachment: signature.asc
Description: PGP signature

Reply to: