Checking Signatures and Checksums
In the Debian Weekly News of 2001/03/14
Joey Hess wrote:
For years we've known that Debian's means of getting packages and
releases out to users is lacking from a security standpoint.
There has been no way to know that the package you just downloaded
was really made by a Debian developer and is really a part of a
current Debian release. This is rapidly changing, and soon users
will have two complementary ways to verify that they are installing
legitimate packages. This week a patch was posted to the debian-dpkg
list that adds support to dpkg for checking signatures of Debian
packages. The signatures are held in a new section of the package
itself, and tools are entering Debian now to add and check such
signatures. This type of package signing parallels similar
techniques that have been present in the rpm world for a long time,
and they are a welcome addition to dpkg, but their usefulness should
not be over-emphasized.
Signed packages alone still leave open several avenues of attack.
Various evil things can be done to the Packages file, or by tricking
apt into downloading an old and insecure package. Closing off these
attacks requires another layer of security -- signed releases.
Already Release.gpg files are appearing on the archive, and apt will
soon be able to verify these signatures when it upgrades a Debian
system. In the final analysis, neither of these schemes guarantees
absolute security, but they will make attacks much harder for the
black hats, and perhaps by the time woody is released, both types of
signatures will be widely available.
I understand that, the checking of package signatures has been
integrated into dpkg, as of version 1.9.21.
According to "Securing Debian Manual - Package Signing in Debian",
the second (and, arguably, more important [if only because not all
packages are signed but all packages have a checksum]) security
measure mentioned above ("signed releases") is yet to be integrated.
The manual also gives a script, by Anthony Towns, that can be used in
the mean time. However, this script appears to be usable only in
conjunction with apt-get.
My question is this: Is there another script (for verifying signed
releases) that can be used in conjunction with dselect?
(Yes, there are people who prefer to use dselect over apt-get!)