<div>This lead me to search for more answers online, where I have found an article that suggests that package metadata is verified, but that package contents are not. (<a href="https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/">https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/</a>) Again, it's unclear if that article applies to Debian 10, but since my system as "no-debsig" in /etc/dpkg/dpkg.
</div><div>I hope someone can help me find some answers on this!</div><div><br></div><div>thanks,</div><div>Ramin</div></div></div></div></div></div></div></div>
This lead me to search for more answers online, where I have found an
article that suggests that package metadata is verified, but that package
contents are not.
([1]https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/)
I do know that if I use "apt download" to download a .deb file, break it
apart (using ar and tar), make a change, and put it back together, I can
the use "apt install ./X.deb" to install it, even though I haven't updated
any security metadata in the .deb file. Removing "no-debsig" in dpkg.cfg
doesn't affect the outcome.
And finally, it seems that even wikipedia says that package signatures
aren't being checked on most systems
([3]https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages).
The signed metadata includes cryptographic checksums of the package
contents. Thus, package contents can't be modified in storage on the
mirror or in transit to your system without invalidating the checksum,
and the checksums can't be updated in the repository metadata without invalidating the signature.
I do know that [I can tamper with .deb pkg on my computer prior toinstallation without triggering warnings].
That's correct; the validation happens during retrieval. Once the
package is on your computer, you are free to tamper with it however you
want.
And finally, it seems that even wikipedia says that package signatures
aren't being checked on most systemshttps://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages).
([3]
That's correct; package validation is done as described above. You left
out the part of the wikipedia article that states [...]
<br></div><div>"Debian-based distributions support GPG signature verification of signed Debian packages, but most (if not all) have this feature disabled by default."</div><div><br></div><div>OK. That's straightforward enough. There's some infrastructure for GPG signature verification but it's disabled by default. That's not a problem in itself, if some other form of effective verification is happening. Just another sentence stating that in the wikipedia article would have
<div>In my digging around so far, I found that the .deb file contains a control.tar.xz file, which has some md5 checksum information, but it has very patchy coverage of the files in the package. I hope that's just a holdover from a deprecatedmechanism, and is not being used nowadays.</div><div><br></div><div>"Currently there are two different implementations for signing individual packages..."</div><div>I think this is referring to the GPG signature verification mechanisms that are
The signed metadata includes cryptographic checksums of the package
contents. Thus, package contents can't be modified in storage on the
mirror or in transit to your system without invalidating the checksum,
and the checksums can't be updated in the repository metadata without
invalidating the signature.
This all sounds pretty promising! Thank you, Noah! Do you happen to know
how to access this metadata? I'd love to be able to look at it and
understand it better.
Again, I'd love to see one of these release files, so I could see:
a) what data, exactly, is being checksummed
b) what sort of hash algorithm is involved
In my digging around so far, I found that the .deb file contains a
control.tar.xz file, which has some md5 checksum information, but it has
very patchy coverage of the files in the package. I hope that's just a
holdover from a deprecated mechanism, and is not being used nowadays.
"Currently there are two different implementations for signing
individual packages..."
I think this is referring to the GPG signature verification mechanisms
that are disabled by default. I'm happy to not try to not go down the
route of enabling GPG verification, since it seems to be poorly
documented (I haven't found a single concrete example of how to do
this), so long as I can feel that the metadata checksum method is sufficiently reliable. I think that looking at the Release files would
go a long way to relieving my anxiety about this. Any help would be appreciated!
I do wish there was an official document giving a high-level TLDR
description of apt security, complete with caveats. As a bonus
cherry-on-top wish, it would be awesome if it furthermore made clear
what old mechanisms were deprecated and could be ignored!
This all sounds pretty promising! Thank you, Noah! Do you happen toknow
how to access this metadata? I'd love to be able to look at it and
understand it better.
See the signed InRelease files in /var/lib/apt/lists
You should read
https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html
Thanks! I will do so!
On Thu, Jan 28, 2021 at 10:08:32AM -0800, Ramin Doe wrote:
The signed metadata includes cryptographic checksums of the packagethe
contents. Thus, package contents can't be modified in storage on
mirror or in transit to your system without invalidating thechecksum,
and the checksums can't be updated in the repository metadatawithout
invalidating the signature.
This all sounds pretty promising! Thank you, Noah! Do you happen toknow
how to access this metadata? I'd love to be able to look at it and
understand it better.
See the signed InRelease files in /var/lib/apt/lists
Again, I'd love to see one of these release files, so I could see:has
a) what data, exactly, is being checksummed
b) what sort of hash algorithm is involved
In my digging around so far, I found that the .deb file contains a
control.tar.xz file, which has some md5 checksum information, but it
very patchy coverage of the files in the package. I hope that's just a
holdover from a deprecated mechanism, and is not being used nowadays.
The MD5 sums are use by the debsums program. Because md5 is weak and
because there are plenty of ways to bypass file-level checksum
validation in general, these are more useful at identifying corruption
or valid local modifications rather than system compromise.
You should read
https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html
It's a little dated, as it still mentions the use of md5 in the Release
files when we use sha256 these days, but it's good for a higher level overview.
noah
</div><div>I understand, of course, that all this assumes that my system hasn't been compromised already. But, yes, if I have a clean system, and non of the keys or hashes are compromised, I can see how this would work. And this would mean that Iwouldn't need to do GPG verification of the packages as described in section 7.5.2 of the Manual, and the article I first posted (<a href="https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/">https://blog.
</div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 28, 2021 at 11:56 AM Noah Meyerhans <<a href="mailto:noahm@debian.org">noahm@debian.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On Thu, Jan 28, 2021 at 10:08:32AM -0800, Ramin Doe wrote:<br>
It's not entirely clear to me what the CIS guideline was expecting me to
do. It says:
  Verify GPG keys are configured correctly for your package manager:
  # apt-key list
Perhaps they want me to install apt-key, and use it to look at the gpg
keys installed on my system, and then somehow verify that they aren't compromised? Does that sound like I'm understanding them correctly?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 52:09:06 |
Calls: | 6,650 |
Calls today: | 2 |
Files: | 12,200 |
Messages: | 5,330,387 |