On Saturday 24 July 2010 17:21:28 Florian Kulzer wrote: > Furthermore, he is asking the wrong question if he wants real security. > If one downloads via an insecure protocol (http, ftp) then it does not > matter if the URL points to debian.org, kmuto.jp or rootkits-r-us.com, > because one is unprotected against a man-in-the-middle attack in any > case. That's not true. Long ago, the "secure-apt" project took this issue into account. The Packages file is GPG signed and this signature is verified during each (aptitude update), even during installation. (Although, I have seen some install methods subvert this check...) The Packages file contains multiple cryptographically-secure hashes of each binary package available from that archive/repository and (at least) one of these hashes is verified after download but before installation. The Sources file is similarly signed and provides hashes for the source packages available from that archive/repository. The official installation media are each singed and hashed in a cryptographically-secure manner, but you have to verify those manually. > The question that should be asked is: "How can I verify the checksums of > the kmuto images with cryptographic signatures that can be traced back > to a trusted key from the debian keyring?" (Unfortunately I do not know > the answer; I cannot find any signature whatsoever for the checksums.) Good question. I don't know how to verify the installation media. Assuming it uses the standard apt and normal repositories, all the packages installed during installation will be verified, and the archive/repository must be signed by a GPG key in the installation media's apt keyring. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.