Re: Verify a mirror?

To: debian-user@lists.debian.org
Subject: Re: Verify a mirror?
From: Hans <hans.ullrich@loop.de>
Date: Tue, 20 Sep 2022 18:40:01 +0200
Message-id: <[🔎] 16796569.zPY40OrmuQ@protheus2>
In-reply-to: <[🔎] alpine.DEB.2.21.2209201041580.2545@einstein.home.woodall.me.uk>
References: <[🔎] 3028749.zU6NIkxx0a@protheus2> <[🔎] alpine.DEB.2.21.2209201041580.2545@einstein.home.woodall.me.uk>

Hi Tim, 

I am not sure, you are correct. But please correct me!
> apt does this for you. There are a set of gpg public keys in
> /etc/apt/trusted.gpg.d.
> 

Yes, apt is trusting the whole server, so it verifies, that a server who 
claims to be repo.debian.org is the real one, nothing else.

> When apt downloads the releases file it verifies it with these keys. If
> it cannot do that then it won't continue. (unless you're on a very old
> distribution)
> 

As far as I know, apt just downloads the release.gpg file, which is just one 
key for the server, but NOT for all the packages. 

> It then downloads the packages file and verifies its hash against the
> one in the releases file that was signed.

There is my first problem: On any repo server, the keys could be created by a 
malicious sysadmin. Thus not only the server key is poisened, of course also 
the packages keys are poisened. 

At that moment, I can still not see, if the keys on "good" server A differ 
from "bad" server B.
> 
> And finally, when it downloads the package it verifies the hash against
> the one in the packages file.
> 

Yes, but these keys are also created by the creator of the malicious package. 
> So you're safe using any mirror or http connection.
> 

I still believe, I am NOT safe!

> Tim.

As all the keys (repo-keys and package-keys) are created by a malicious 
sysadmin (as he created the packages and also he created the whole repo 
server), I can NOT check, if this server ist trustfull. 

However, I can download all keys from a trusted server, create hashes of all 
packages, and of course check the hashes of all keys between a trusted and a 
not-trusted server. But that needs a lot of effort. 

I admit, one could create a script, which is doing it automatically (but this 
will also be a lot of effort).

I thought, there would be another way, or an existing way.

Please do not think over it again, it was just a theoretical mindplay. Never 
ever I would use a server, I do not fully trust! But it would be nice, if one 
could easily check and prove, that this "new, super fine and trusty" repo is 
malicous.

And yes, tell me paranoid - I am!

Best

Hans

Reply to:

Follow-Ups:
- Re: Verify a mirror?
  - From: <tomas@tuxteam.de>
- Re: Verify a mirror?
  - From: Tim Woodall <debianuser@woodall.me.uk>

References:
- Verify a mirror?
  - From: Hans <hans.ullrich@loop.de>
- Re: Verify a mirror?
  - From: Tim Woodall <debianuser@woodall.me.uk>

Prev by Date: Re: Ubiquity 500G NVR
Next by Date: Re: Verify a mirror?
Previous by thread: Re: Verify a mirror?
Next by thread: Re: Verify a mirror?
Index(es):
- Date
- Thread