Re: dpkg MD5

To: debian-security@lists.debian.org
Cc: debianmailinglists.hz5zm@simplelogin.com
Subject: Re: dpkg MD5
From: Jeffrey Walton <noloader@gmail.com>
Date: Fri, 8 Nov 2024 00:20:35 -0500
Message-id: <[🔎] CAH8yC8mO7o1oUjsG1cteppuF5=1B5C6N2bFhd2ubQ=zuWCg=0Q@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <[🔎] 6297351c-27d0-4b88-b769-87fd29757458@gmail.com>
References: <[🔎] 6297351c-27d0-4b88-b769-87fd29757458@gmail.com>

From: debianmailinglists.hz5zm@simplelogin.com:
>
> I'm not a Debian developer, just a curious onlooker who hasn't seen all
> of these messages, so I could completely off base with my understanding
> of how things work.  But, it was my understanding that the bundled MD5
> inside a .deb file isn't there for security, it's just there to make
> sure the packages arrived in one piece and weren't corrupted, and for
> that purpose it's still perfectly adequate.  The "security", or
> validity of the packages' origin, are ensured by the digital signature
> on the packages or repos.  A malicious package forged to match a
> desired MD5 would still fail a digital signature check.
>
> Am I incorrect in how this all works?

As I understand things (corrections, please), the individual packages
are usually not signed. Instead, the repository metadata is signed.
The metadata has the MD5 checksums.

Also see <https://en.wikipedia.org/wiki/Deb_(file_format)#Signed_packages>.

Jeff

Reply to:

References:
- dpkg MD5
  - From: David Campbell <dcampbell24@gmail.com>

Prev by Date: Re: dpkg MD5
Next by Date: Re: dpkg MD5
Previous by thread: Re: dpkg MD5
Next by thread: Re: dpkg MD5
Index(es):
- Date
- Thread