So after doing my reading and digging around a bit, I get a vague sense of the pieces involved. I can see the various data files available on the mirror site, that *could* be used to verify that all the files we receive are what we'd expect to be getting, based on some initial data (a trusted key) that we might have on our system. But as some have mentioned, the documentation in Securing Debian Manual (
https://www.debian.org/doc/manuals/securing-debian-manual/) is out of date and/or oversimplified. It's still helpful though!
So I could see how the local keys /etc/apt/trusted.gpg.d/*.gpg might be used to verify that InRelease that is downloaded from https://[mirrorsite]/debian/dists/buster/ is trustworthy. And it looks like that InRelease file contains sha256 signatures that can be used to verify the contents of various files, including Packages.gz that would be downloaded from https://[mirrorsite]/debian/dists/buster/main/binary-amd64/). In that Packages file, there are sha256 signatures for individual packages that apt would install, and those could be used to verify all the files that were downloaded by an `apt install` command before installation.
The only thing that still worries me a little bit is that I can't actually verify that any of the described verification is actually being done, or that I have imagined the process correctly. (Is there an existing corrupted mirror I can use? Is it hard to set one up? If I could force a package rejection in different ways, I'd be fully confident it was configured and functioning correctly).
It's not entirely clear to me what the CIS guideline was expecting me to do. It says:
Verify GPG keys are configured correctly for your package manager:
# apt-key list
Perhaps they want me to install apt-key, and use it to look at the gpg keys installed on my system, and then somehow verify that they aren't compromised? Does that sound like I'm understanding them correctly?
thanks for all the help!
Ramin