Re: How APT signs packages

To: debian-user@lists.debian.org
Subject: Re: How APT signs packages
From: Lars Nooden <lars.nooden@gmail.com>
Date: Fri, 19 Oct 2012 13:14:44 +0300 (EEST)
Message-id: <[🔎] alpine.BSO.2.02.1210191311000.11063@yeeloong.dhcp.inet.fi>
In-reply-to: <[🔎] 20121019094041.GB8347@darac.org.uk>
References: <[🔎] alpine.BSO.2.02.1210191228260.11063@yeeloong.dhcp.inet.fi> <[🔎] 20121019094041.GB8347@darac.org.uk>

On Fri, 19 Oct 2012, Darac Marjal wrote:

> On Fri, Oct 19, 2012 at 12:28:36PM +0300, Lars Nooden wrote:
> > Hi,
> > 
> > Where can I find an uptodate description of exactly how PGP is used by APT 
> > in packaging?  I can't find the source any more but I got the impression 
> > that the individual packages were not signed but merely checksummed and 
> > that the list of checksums was the only thing that was actually signed.  
> > What is the real situation?
> 
> That is true. As described here[1], the package checksums are stores in
> the "Packages" file, the checksums for the "Packages" file are stored in
> the "Release" file and the release file is GPG signed. So you have a
> chain of fidelity from Releases to the package and a chain of trust from
> yourself to the Releases.
> 
> [1] http://wiki.debian.org/SecureApt

Thanks.  The weak point, relatively speaking, looks to be the MD5 
checksums in Releases.  The link above [1] says "MD5 is now a broken hash 
function, and should be replaced for all security-minded usages." 

Out of curiosity, what are the plans then for moving up to SHA256 or 
better?

Regards,
/Lars

Reply to:

Follow-Ups:
- Re: How APT signs packages
  - From: Florian Ernst <florian_ernst@gmx.net>

References:
- How APT signs packages
  - From: Lars Nooden <lars.nooden@gmail.com>
- Re: How APT signs packages
  - From: Darac Marjal <mailinglist@darac.org.uk>

Prev by Date: CUPS is not broadcasting printers
Next by Date: Re: How APT signs packages
Previous by thread: Re: How APT signs packages
Next by thread: Re: How APT signs packages
Index(es):
- Date
- Thread