[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG verification of apt packages

On Thu, Jan 28, 2021 at 10:08:32AM -0800, Ramin Doe wrote:
>      The signed metadata includes cryptographic checksums of the package
>      contents.  Thus, package contents can't be modified in storage on the
>      mirror or in transit to your system without invalidating the checksum,
>      and the checksums can't be updated in the repository metadata without
>      invalidating the signature.
>    This all sounds pretty promising! Thank you, Noah! Do you happen to know
>    how to access this metadata? I'd love to be able to look at it and
>    understand it better.

See the signed InRelease files in /var/lib/apt/lists

>    Again, I'd love to see one of these release files, so I could see:
>    a) what data, exactly, is being checksummed
>    b) what sort of hash algorithm is involved
>    In my digging around so far, I found that the .deb file contains a
>    control.tar.xz file, which has some md5 checksum information, but it has
>    very patchy coverage of the files in the package. I hope that's just a
>    holdover from a deprecated mechanism, and is not being used nowadays.

The MD5 sums are use by the debsums program.  Because md5 is weak and
because there are plenty of ways to bypass file-level checksum
validation in general, these are more useful at identifying corruption
or valid local modifications rather than system compromise.

You should read

It's a little dated, as it still mentions the use of md5 in the Release
files when we use sha256 these days, but it's good for a higher level


Attachment: signature.asc
Description: PGP signature

Reply to: