From d2793259e3dcf76e5c547a5eb72845211bc14905 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 11 Aug 2005 14:51:07 +0000 Subject: * added patch that adds a apt-secure man-page (thanks to jfs@computer.org) --- doc/apt-secure.8.xml | 200 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 200 insertions(+) create mode 100644 doc/apt-secure.8.xml (limited to 'doc/apt-secure.8.xml') diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml new file mode 100644 index 000000000..c1d46cb45 --- /dev/null +++ b/doc/apt-secure.8.xml @@ -0,0 +1,200 @@ + + +%aptent; + +]> + + + &apt-docinfo; + + + apt-secure + 8 + + + + + + + + + apt-secure + Archive authentication support for APT + + + Description + + Starting with version 0.6, apt contains code + that does signature checking of the Release file for all + archives. This ensures that packages in the archive can't be + modified by people who have no access to the Release file signing + key. + + + + If a package comes from a archive without a signature or with a + signature that apt does not have a key for that package is + considered untrusted and installing it will result in a big + warning. apt-get will currently only warn + for unsigned archives, future releases might force all sources + to be verified before downloading packages from them. + + + + The package frontends &apt-get;, &aptitude; and &synaptic; support this new + authentication feature. + + + + Trusted archives + + + The chain of trust from an apt archive to the end user is made up of + different steps. apt-secure is the last step in + this chain, trusting an archive does not mean that the packages + that you trust it do not contain malicious code but means that you + trust the archive maintainer. Its the archive maintainer + responsibility to ensure that the archive integrity is correct. + + + apt-secure does not review signatures at a + package level. If you require tools to do this you should look at + debsig-verify and + debsign (provided in the debsig-verify and + devscripts packages respectively). + + + The chain of trust in Debian starts when a maintainer uploads a new + package or a new version of a package to the Debian archive. This + upload in order to become effective needs to be signed by a key of + a maintainer within the Debian maintainer's keyring (available in + the debian-keyring package). Maintainer's keys are signed by + other maintainers following pre-established procedures to + ensure the identity of the key holder. + + + + Once the uploaded package is verified and included in the archive, + the maintainer signature is stripped off, an MD5 sum of the package + is computed and put in the Packages file. The MD5 sum of all of the + packages files are then computed and put into the Release file. The + Release file is then signed by the archive key (which is created + once a year and distributed through the FTP server. This key is + also on the Debian keyring. + + + + Any end user can check the signature of the Release file, extract the MD5 + sum of a package from it and compare it with the MD5 sum of the + package he downloaded. Prior to version 0.6 only the MD5 sum of the + downloaded Debian package was checked. Now both the MD5 sum and the + signature of the Release file are checked. + + + Notice that this is distinct from checking signatures on a + per package basis. It is designed to prevent two possible attacks: + + + + Network "man in the middle" + attacks. Without signature checking, a malicious + agent can introduce himself in the package download process and + provide malicious software either by controlling a network + element (router, switch, etc.) or by redirecting traffic to a + rogue server (through arp or DNS spoofing + attacks). + + Mirror network compromise. + Without signature checking, a malicious agent can compromise a + mirror host and modify the files in it to propage malicious + software to all users downloading packages from that + host. + + + However, it does not defend against a compromise of the + Debian master server itself (which signs the packages) or against a + compromise of the key used to sign the Release files. In any case, + this mechanism can complement a per-package signature. + + + User configuration + + apt-key is the program that manages the list + of keys used by apt. It can be used to add or remove keys although + an installation of this release will automatically provide the + default Debian archive signing keys used in the Debian package + repositories. + + + In order to add a new key you need to first download it + (you should make sure you are using a trusted communication channel + when retrieving it), add it with apt-key and + then run apt-get update so that apt can download + and verify the Release.gpg files from the archives you + have configured. + + + +Archive configuration + + If you want to provide archive signatures in an archive under your + maintenance you have to: + + + + Create a toplevel Release + file. if it does not exist already. You can do this + by running apt-ftparchive release + (provided inftp apt-utils). + + Sign it. You can do this by running + gpg -abs -o Release.gpg Release. + + Publish the key fingerprint, + that way your users will know what key they need to import in + order to authenticate the files in the + archive. + + + + Whenever the contents of the archive changes (new packages + are added or removed) the archive maintainer has to follow the + first two steps previously outlined. + + + +See Also + +&apt-conf;, &apt-get;, &sources-list;, &apt-key;, &apt-archive;, +&debsign; &debsig-verify;, &gpg; + + +For more backgound information you might want to review the +Debian +Security Infrastructure chapter of the Securing Debian Manual +(available also in the harden-doc package) and the +Strong Distribution HOWTO by V. Alex Brennen. + + + + &manbugs; + &manauthor; + + + -- cgit v1.2.3