On Thu, Jan 28, 2021 at 10:08:32AM -0800, Ramin Doe wrote: > The signed metadata includes cryptographic checksums of the package > contents. Thus, package contents can't be modified in storage on the > mirror or in transit to your system without invalidating the checksum, > and the checksums can't be updated in the repository metadata without > invalidating the signature. > > This all sounds pretty promising! Thank you, Noah! Do you happen to know > how to access this metadata? I'd love to be able to look at it and > understand it better. See the signed InRelease files in /var/lib/apt/lists > Again, I'd love to see one of these release files, so I could see: > a) what data, exactly, is being checksummed > b) what sort of hash algorithm is involved > In my digging around so far, I found that the .deb file contains a > control.tar.xz file, which has some md5 checksum information, but it has > very patchy coverage of the files in the package. I hope that's just a > holdover from a deprecated mechanism, and is not being used nowadays. The MD5 sums are use by the debsums program. Because md5 is weak and because there are plenty of ways to bypass file-level checksum validation in general, these are more useful at identifying corruption or valid local modifications rather than system compromise. You should read https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html It's a little dated, as it still mentions the use of md5 in the Release files when we use sha256 these days, but it's good for a higher level overview. noah
Attachment:
signature.asc
Description: PGP signature