Goswin von Brederlow wrote: > What can we do with deb signatures? > > For our current problem, the integrity of the debian archive being > questioned, the procedure would be easy and available to every user: > > 1. get any clean Debian keyring (or just the key signing the keyring) > 2. verify the latest Debian keyring > 3. verify that each deb was signed by a DD and the signature fits
The canoical attack against signed debs in this situation is to find a signed deb on snapshot.debian.net that contains a known security hole. Now inject it into the compromised archive, with a changed filename, and edit the Packages file to have its md5sum. Now a user's checks will succeed -- the package is signed with a developer's key -- but they will install the old, insecure .deb. The only hint will be a warning from dpkg that it is downgrading the package, and a clever attacker might avoid even that. I would still like to be able to produce signed debs, it's another layer of security, but they are no panacea. -- see shy jo
signature.asc
Description: Digital signature