Re: Verify a mirror?
Hi Tim,
I am not sure, you are correct. But please correct me!
> apt does this for you. There are a set of gpg public keys in
> /etc/apt/trusted.gpg.d.
>
Yes, apt is trusting the whole server, so it verifies, that a server who
claims to be repo.debian.org is the real one, nothing else.
> When apt downloads the releases file it verifies it with these keys. If
> it cannot do that then it won't continue. (unless you're on a very old
> distribution)
>
As far as I know, apt just downloads the release.gpg file, which is just one
key for the server, but NOT for all the packages.
> It then downloads the packages file and verifies its hash against the
> one in the releases file that was signed.
There is my first problem: On any repo server, the keys could be created by a
malicious sysadmin. Thus not only the server key is poisened, of course also
the packages keys are poisened.
At that moment, I can still not see, if the keys on "good" server A differ
from "bad" server B.
>
> And finally, when it downloads the package it verifies the hash against
> the one in the packages file.
>
Yes, but these keys are also created by the creator of the malicious package.
> So you're safe using any mirror or http connection.
>
I still believe, I am NOT safe!
> Tim.
As all the keys (repo-keys and package-keys) are created by a malicious
sysadmin (as he created the packages and also he created the whole repo
server), I can NOT check, if this server ist trustfull.
However, I can download all keys from a trusted server, create hashes of all
packages, and of course check the hashes of all keys between a trusted and a
not-trusted server. But that needs a lot of effort.
I admit, one could create a script, which is doing it automatically (but this
will also be a lot of effort).
I thought, there would be another way, or an existing way.
Please do not think over it again, it was just a theoretical mindplay. Never
ever I would use a server, I do not fully trust! But it would be nice, if one
could easily check and prove, that this "new, super fine and trusty" repo is
malicous.
And yes, tell me paranoid - I am!
Best
Hans
Reply to: