Re: How APT signs packages
Hello there,
On Fri, Oct 19, 2012 at 01:14:44PM +0300, Lars Nooden wrote:
> On Fri, 19 Oct 2012, Darac Marjal wrote:
> > [...]
> > [1] http://wiki.debian.org/SecureApt
>
> Thanks. The weak point, relatively speaking, looks to be the MD5
> checksums in Releases. The link above [1] says "MD5 is now a broken hash
> function, and should be replaced for all security-minded usages."
>
> Out of curiosity, what are the plans then for moving up to SHA256 or
> better?
There aren't any. That is, there aren't any such plans *anymore*, as
SHA256 is already in use and that page is partially misleading, cf.
----- 8< -----
What does it mean for md5sum to be broken? Since it's a checksum, I
thought the only way it can be broken is that it fail to compute the
proper checksum. I have a feeling some other meaning is intended.
--RossBoylan
**it is broken as people were able to actually create a fake certificate
that could sign anything and was trusted, they did this by finding a
collision, they created a certificate that had the same md5 sum as the
certificate they were issued, and where thereby able to give themselves
right other than they were granted.--Scientes
***apt has supported sha256 checksums since version 0.7.7, so these will
be used in lenny and future releases. --JoeyHess
----- >8 -----
in the comments of the very same page as well as check your
/var/lib/apt/lists/*_{Release,Packages} for verification.
Cheers,
Flo
Reply to: