On Tue, 20 Sep 2022, Hans wrote:
Hi Tim,
I am not sure, you are correct. But please correct me!
apt does this for you. There are a set of gpg public keys in
/etc/apt/trusted.gpg.d.
Yes, apt is trusting the whole server, so it verifies, that a server who
claims to be repo.debian.org is the real one, nothing else.
No, apt is verifying the release file was signed by a key that it has
the matching public key for.
This is completely independent of verifying the server name - which is
what happens if you use https and is not important for apt.
When apt downloads the releases file it verifies it with these keys. If
it cannot do that then it won't continue. (unless you're on a very old
distribution)
As far as I know, apt just downloads the release.gpg file, which is just one
key for the server, but NOT for all the packages.
It's not a key, it's a signature. Apt verifies it locally.
It then downloads the packages file and verifies its hash against the
one in the releases file that was signed.
There is my first problem: On any repo server, the keys could be created by a
malicious sysadmin. Thus not only the server key is poisened, of course also
the packages keys are poisened.
No, the keys are local to apt.
At that moment, I can still not see, if the keys on "good" server A differ
from "bad" server B.
There are no keys on A or B. There are signatures that apt will verify
using the keys it has locally.
And finally, when it downloads the package it verifies the hash against
the one in the packages file.
Yes, but these keys are also created by the creator of the malicious package.
So you're safe using any mirror or http connection.
I still believe, I am NOT safe!
Tim.
As all the keys (repo-keys and package-keys) are created by a malicious
sysadmin (as he created the packages and also he created the whole repo
server), I can NOT check, if this server ist trustfull.
However, I can download all keys from a trusted server, create hashes of all
packages, and of course check the hashes of all keys between a trusted and a
not-trusted server. But that needs a lot of effort.
You CANNOT get the private keys from anywhere - Debian won't give them
to you or anyone else.
I admit, one could create a script, which is doing it automatically (but this
will also be a lot of effort).
I thought, there would be another way, or an existing way.
All you need to do is verify the local copy of the public keys in
/etc/apt/trusted.gpg.d If you're happy with what is in there then
(assuming your server isn't rooted) you can be confident that apt will
only install official packages, even if you use http to download.
Tim
p.s. This all assumes you don't disable apt's checking which I think is
still possible.
