On Tue, 20 Sep 2022, Hans wrote:
Dear list, I asked myself, how can I check, if on a mirror are not manipulated packages. The background of this is: The institution of the government, I worked before, set up an own debian repo mirror, so that the servers of its network could be upgraded from it. However, I mistrusted the institutation and feared, they manipulated packages and built in backdoors (for example) or other things. Of course I can verify each single package with the original debian repo, but that is very toilsome. I checked the apt-* packages, but none of it described my needs. Is there a way (or maybe a package), how to check a mistrusted package and verify it against another trusted repository? Of course I know, any repo is trusted by a pgp-key (gpg-key), but then I trust the whole source. This is clear for me. But I want to check every single package (with identical versions of course), to give such traitors no chance. Is this possible at all?
apt does this for you. There are a set of gpg public keys in /etc/apt/trusted.gpg.d. When apt downloads the releases file it verifies it with these keys. If it cannot do that then it won't continue. (unless you're on a very old distribution) It then downloads the packages file and verifies its hash against the one in the releases file that was signed. And finally, when it downloads the package it verifies the hash against the one in the packages file. So you're safe using any mirror or http connection. There is one possible concern if you're particularly worried about a mirror - for a short time a mirror could delay updating which would mean clients wouldn't get security fixes for known bugs. Eventually apt would start complaining about the signature being too old. Also, in rare cases, you might not want a government to know what packages you're installing - e.g. crypto is restricted. Using https to a mirror in another country will help but apt doesn't attempt to hide this information and it might be possible to work out what was downloaded just from bytes transferred and packet sizes to some degree. Tim.