Hi Tim, I am not sure, you are correct. But please correct me! > apt does this for you. There are a set of gpg public keys in > /etc/apt/trusted.gpg.d. >
Yes, apt is trusting the whole server, so it verifies, that a server who claims to be repo.debian.org is the real one, nothing else. > When apt downloads the releases file it verifies it with these keys. If > it cannot do that then it won't continue. (unless you're on a very old > distribution) > As far as I know, apt just downloads the release.gpg file, which is just one key for the server, but NOT for all the packages. > It then downloads the packages file and verifies its hash against the > one in the releases file that was signed. There is my first problem: On any repo server, the keys could be created by a malicious sysadmin. Thus not only the server key is poisened, of course also the packages keys are poisened. At that moment, I can still not see, if the keys on "good" server A differ from "bad" server B. > > And finally, when it downloads the package it verifies the hash against > the one in the packages file. > Yes, but these keys are also created by the creator of the malicious package. > So you're safe using any mirror or http connection. > I still believe, I am NOT safe! > Tim. As all the keys (repo-keys and package-keys) are created by a malicious sysadmin (as he created the packages and also he created the whole repo server), I can NOT check, if this server ist trustfull. However, I can download all keys from a trusted server, create hashes of all packages, and of course check the hashes of all keys between a trusted and a not-trusted server. But that needs a lot of effort. I admit, one could create a script, which is doing it automatically (but this will also be a lot of effort). I thought, there would be another way, or an existing way. Please do not think over it again, it was just a theoretical mindplay. Never ever I would use a server, I do not fully trust! But it would be nice, if one could easily check and prove, that this "new, super fine and trusty" repo is malicous. And yes, tell me paranoid - I am! Best Hans