Re: How APT signs packages
On Fri, 19 Oct 2012, Darac Marjal wrote:
> On Fri, Oct 19, 2012 at 12:28:36PM +0300, Lars Nooden wrote:
> > Hi,
> >
> > Where can I find an uptodate description of exactly how PGP is used by APT
> > in packaging? I can't find the source any more but I got the impression
> > that the individual packages were not signed but merely checksummed and
> > that the list of checksums was the only thing that was actually signed.
> > What is the real situation?
>
> That is true. As described here[1], the package checksums are stores in
> the "Packages" file, the checksums for the "Packages" file are stored in
> the "Release" file and the release file is GPG signed. So you have a
> chain of fidelity from Releases to the package and a chain of trust from
> yourself to the Releases.
>
> [1] http://wiki.debian.org/SecureApt
Thanks. The weak point, relatively speaking, looks to be the MD5
checksums in Releases. The link above [1] says "MD5 is now a broken hash
function, and should be replaced for all security-minded usages."
Out of curiosity, what are the plans then for moving up to SHA256 or
better?
Regards,
/Lars
Reply to: