Re: How to verify package integrity after they have been downloaded?
On Sun, Apr 6, 2008, Bernd Eckenfels <[EMAIL PROTECTED]> wrote: > In article <[EMAIL PROTECTED]> you wrote: > > I trust the archive maintainers and have a secure way to get a copy of > > their public key. I don't trust individual developers and cannot have > > all of their keys securely distributed to me. > > Yes, you would have to sign the packages with your own key after verifying > the release file. If you are talking about automating the verification process, that wouldn't quite work. The system that downloads the packages might have been compromised. The files that I would sign on that system might have been already modified at the time when I sign them. So I don't see how signing the packages with my own key could help here. Am I missing something? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to verify package integrity after they have been downloaded?
In article <[EMAIL PROTECTED]> you wrote: > I trust the archive maintainers and have a secure way to get a copy of > their public key. I don't trust individual developers and cannot have > all of their keys securely distributed to me. Yes, you would have to sign the packages with your own key after verifying the release file. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to verify package integrity after they have been downloaded?
On Sun, Apr 6, 2008, Bernd Eckenfels <[EMAIL PROTECTED]> wrote: > > It should be possible to verify the package on install time. (Especially > when not using apt-get). > > Not sure if debsig-verify can work in that environment. debsig-verify is not applicable in my case. It implements a different checking scheme from apt-secure with a different chain of trust. debsig-verify can check the signature of the individual who prepared a package, while apt-secure verifies the signature of archive maintainers which applies to all packages. debsig-verify cannot verify the archive maintainers' signature (Release.gpg). I trust the archive maintainers and have a secure way to get a copy of their public key. I don't trust individual developers and cannot have all of their keys securely distributed to me. As far as I know, debsig-verify is not currently in use neither by Debian nor by Ubuntu, and many packages lack a signature. Securing Debian Manual (section 7.4.5) even says that signatures from developers are stripped when the packages enter the archive because the preferred method of verification is secure apt. -- Alexander -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
TR: How to verify package integrity after they have been downloaded?
That seems the best way. The seconde step will be to use an another OS that the first to reduce even more attack surface from readed disk. -- Julien -Message d'origine- De : Alexander Konovalenko [mailto:[EMAIL PROTECTED] Envoyé : samedi, 5. avril 2008 22:33 À : debian-security@lists.debian.org Cc : Julien Stuby Objet : Re: How to verify package integrity after they have been downloaded? On Sun, Apr 6, 2008, Julien Stuby <[EMAIL PROTECTED]> wrote: > Hi, > > If some packages are localy modified, This suggests that your local system > is already compromised. > :¬ Of course. I will be verifying the integrity of my .deb files from another, more trusted system (a LiveCD or a hardened host that have never been connected to any network, etc.). So the compromise of my system won't prevent me from checking the package integrity securely. The second system is not immune. It might have a vulnerability in its filesystem layer or in the code that processes the Release and Packages files, and a local IDS might not be able to detect the exploitation of such a vulnerability. But that is acceptable because the attack surface of the trusted system is much reduced compared to that of the first system. -- Alexander
Re: How to verify package integrity after they have been downloaded?
In article <[EMAIL PROTECTED]> you wrote: > If some packages are localy modified, This suggests that your local system > is already compromised. Not if you use a NFS mounted shared cache. It should be possible to verify the package on install time. (Especially when not using apt-get). Not sure if debsig-verify can work in that environment. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to verify package integrity after they have been downloaded?
On Sun, Apr 6, 2008, Julien Stuby <[EMAIL PROTECTED]> wrote: > Hi, > > If some packages are localy modified, This suggests that your local system > is already compromised. > :¬ Of course. I will be verifying the integrity of my .deb files from another, more trusted system (a LiveCD or a hardened host that have never been connected to any network, etc.). So the compromise of my system won't prevent me from checking the package integrity securely. The second system is not immune. It might have a vulnerability in its filesystem layer or in the code that processes the Release and Packages files, and a local IDS might not be able to detect the exploitation of such a vulnerability. But that is acceptable because the attack surface of the trusted system is much reduced compared to that of the first system. -- Alexander
RE: TR: How to verify package integrity after they have been downloaded?
Hotmail live connector bug again ... > Hi,> > If some packages are localy modified, This suggests that your local > system is already compromised.> :¬ > > De : Alexander Konovalenko > [mailto:[EMAIL PROTECTED] > Envoyé : samedi, 5. avril 2008 06:11> À : > debian-security@lists.debian.org> Objet : How to verify package integrity > after they have been downloaded?> > I would like to verify that some .deb > files I downloaded a while ago> (using apt) haven't been tampered with. > (Actually, I'll be doing this> kind of thing more than once.) I have the > appropriate Release,> Release.gpg and Packages files.> > As the apt-secure(8) > manual page states, apt verifies the integrity of> the .deb packages when it > downloads them. But it doesn't do so when> installing from cache. To make > sure, I manually modified a .deb file> in /var/cache/apt/archives/ and > installed that package with apt-get.> The modified package was installed > without any warnings.> > (I'm working on Ubuntu 7.10 but I think there's no > difference here> between Debian and Ubuntu. Please correct me if I'm wrong.)> > > I can verify the signature of the Release file and check the hash-sum> of > the Packages file by hand. But there are a lot of .deb files to> verify. I > could write a script that would parse the Packages file and> extract the > checksums so that its output could be fed to the> {md5,sha1,sha256}sum -c > commands. But it would take considerable> effort to make the script robust > enough so that it doesn't break on> new or malicious Packages files.> > Is > there a simpler way to verify the integrity of .deb packages that> were > downloaded with apt?> > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED]> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]> >
TR: How to verify package integrity after they have been downloaded?
-Message d'origine- De : Julien Stuby [mailto:[EMAIL PROTECTED] Envoyé : samedi, 5. avril 2008 21:19 À : 'debian-security@lists.debian.org' Objet : RE: How to verify package integrity after they have been downloaded? Hi, If some packages are localy modified, This suggests that your local system is already compromised. :¬ De : Alexander Konovalenko [mailto:[EMAIL PROTECTED] Envoyé : samedi, 5. avril 2008 06:11 À : debian-security@lists.debian.org Objet : How to verify package integrity after they have been downloaded? I would like to verify that some .deb files I downloaded a while ago (using apt) haven't been tampered with. (Actually, I'll be doing this kind of thing more than once.) I have the appropriate Release, Release.gpg and Packages files. As the apt-secure(8) manual page states, apt verifies the integrity of the .deb packages when it downloads them. But it doesn't do so when installing from cache. To make sure, I manually modified a .deb file in /var/cache/apt/archives/ and installed that package with apt-get. The modified package was installed without any warnings. (I'm working on Ubuntu 7.10 but I think there's no difference here between Debian and Ubuntu. Please correct me if I'm wrong.) I can verify the signature of the Release file and check the hash-sum of the Packages file by hand. But there are a lot of .deb files to verify. I could write a script that would parse the Packages file and extract the checksums so that its output could be fed to the {md5,sha1,sha256}sum -c commands. But it would take considerable effort to make the script robust enough so that it doesn't break on new or malicious Packages files. Is there a simpler way to verify the integrity of .deb packages that were downloaded with apt? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: How to verify package integrity after they have been downloaded?
Hi, If some packages are localy modified, This suggests that your local system is already compromised. :¬ De : Alexander Konovalenko [mailto:[EMAIL PROTECTED] Envoyé : samedi, 5. avril 2008 06:11 À : debian-security@lists.debian.org Objet : How to verify package integrity after they have been downloaded? I would like to verify that some .deb files I downloaded a while ago (using apt) haven't been tampered with. (Actually, I'll be doing this kind of thing more than once.) I have the appropriate Release, Release.gpg and Packages files. As the apt-secure(8) manual page states, apt verifies the integrity of the .deb packages when it downloads them. But it doesn't do so when installing from cache. To make sure, I manually modified a .deb file in /var/cache/apt/archives/ and installed that package with apt-get. The modified package was installed without any warnings. (I'm working on Ubuntu 7.10 but I think there's no difference here between Debian and Ubuntu. Please correct me if I'm wrong.) I can verify the signature of the Release file and check the hash-sum of the Packages file by hand. But there are a lot of .deb files to verify. I could write a script that would parse the Packages file and extract the checksums so that its output could be fed to the {md5,sha1,sha256}sum -c commands. But it would take considerable effort to make the script robust enough so that it doesn't break on new or malicious Packages files. Is there a simpler way to verify the integrity of .deb packages that were downloaded with apt? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]