123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217 |
- <?xml version="1.0" encoding="utf-8" standalone="no"?>
- <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
- <!ENTITY % aptent SYSTEM "apt.ent"> %aptent;
- <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment;
- <!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor;
- ]>
- <refentry>
- <refentryinfo>
- &apt-author.jgunthorpe;
- &apt-author.team;
- &apt-email;
- &apt-product;
- <!-- The last update date -->
- <date>2012-06-09T00:00:00Z</date>
- </refentryinfo>
- <refmeta>
- <refentrytitle>apt-secure</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="manual">APT</refmiscinfo>
- </refmeta>
- <!-- NOTE: This manpage has been written based on the
- Securing Debian Manual ("Debian Security
- Infrastructure" chapter) and on documentation
- available at the following sites:
- http://wiki.debian.net/?apt06
- http://www.syntaxpolice.org/apt-secure/
- http://www.enyo.de/fw/software/apt-secure/
- -->
- <!-- TODO: write a more verbose example of how it works with
- a sample similar to
- http://www.debian-administration.org/articles/174
- ?
- -->
-
- <!-- Man page title -->
- <refnamediv>
- <refname>apt-secure</refname>
- <refpurpose>Archive authentication support for APT</refpurpose>
- </refnamediv>
- <refsect1><title>Description</title>
- <para>
- Starting with version 0.6, <command>apt</command> contains code
- that does signature checking of the Release file for all
- archives. This ensures that packages in the archive can't be
- modified by people who have no access to the Release file signing
- key.
- </para>
- <para>
- If a package comes from a archive without a signature, or with a
- signature that apt does not have a key for, that package is
- considered untrusted, and installing it will result in a big
- warning. <command>apt-get</command> will currently only warn
- for unsigned archives; future releases might force all sources
- to be verified before downloading packages from them.
- </para>
- <para>
- The package frontends &apt-get;, &aptitude; and &synaptic; support this new
- authentication feature.
- </para>
- </refsect1>
- <refsect1><title>Trusted archives</title>
- <para>
- The chain of trust from an apt archive to the end user is made up of
- several steps. <command>apt-secure</command> is the last step in
- this chain; trusting an archive does not mean that you trust its
- packages not to contain malicious code, but means that you
- trust the archive maintainer. It's the archive maintainer's
- responsibility to ensure that the archive's integrity is preserved.
- </para>
- <para>apt-secure does not review signatures at a
- package level. If you require tools to do this you should look at
- <command>debsig-verify</command> and
- <command>debsign</command> (provided in the debsig-verify and
- devscripts packages respectively).</para>
- <para>
- The chain of trust in Debian starts when a maintainer uploads a new
- package or a new version of a package to the Debian archive. In
- order to become effective, this upload needs to be signed by a key
- contained in the Debian Maintainers keyring (available in
- the debian-keyring package). Maintainers' keys are signed by
- other maintainers following pre-established procedures to
- ensure the identity of the key holder.
- </para>
- <para>
- Once the uploaded package is verified and included in the archive,
- the maintainer signature is stripped off, and checksums of the package
- are computed and put in the Packages file. The checksums of all of the
- Packages files are then computed and put into the Release file. The
- Release file is then signed by the archive key for this &keyring-distro; release,
- and distributed alongside the packages and the Packages files on
- &keyring-distro; mirrors. The keys are in the &keyring-distro; archive keyring
- available in the &keyring-package; package.
- </para>
- <para>
- End users can check the signature of the Release file, extract a checksum
- of a package from it and compare it with the checksum of the package
- they downloaded by hand - or rely on APT doing this automatically.
- </para>
- <para>Notice that this is distinct from checking signatures on a
- per package basis. It is designed to prevent two possible attacks:
- </para>
- <itemizedlist>
- <listitem><para><literal>Network "man in the middle"
- attacks</literal>. Without signature checking, malicious
- agents can introduce themselves into the package download process and
- provide malicious software either by controlling a network
- element (router, switch, etc.) or by redirecting traffic to a
- rogue server (through ARP or DNS spoofing
- attacks).</para></listitem>
-
- <listitem><para><literal>Mirror network compromise</literal>.
- Without signature checking, a malicious agent can compromise a
- mirror host and modify the files in it to propagate malicious
- software to all users downloading packages from that
- host.</para></listitem>
- </itemizedlist>
- <para>However, it does not defend against a compromise of the
- Debian master server itself (which signs the packages) or against a
- compromise of the key used to sign the Release files. In any case,
- this mechanism can complement a per-package signature.</para>
- </refsect1>
- <refsect1><title>User configuration</title>
- <para>
- <command>apt-key</command> is the program that manages the list
- of keys used by apt. It can be used to add or remove keys, although
- an installation of this release will automatically contain the
- default Debian archive signing keys used in the Debian package
- repositories.
- </para>
- <para>
- In order to add a new key you need to first download it
- (you should make sure you are using a trusted communication channel
- when retrieving it), add it with <command>apt-key</command> and
- then run <command>apt-get update</command> so that apt can download
- and verify the <filename>InRelease</filename> or <filename>Release.gpg</filename>
- files from the archives you have configured.
- </para>
- </refsect1>
- <refsect1><title>Archive configuration</title>
- <para>
- If you want to provide archive signatures in an archive under your
- maintenance you have to:
- </para>
- <itemizedlist>
- <listitem><para><emphasis>Create a toplevel Release
- file</emphasis>, if it does not exist already. You can do this
- by running <command>apt-ftparchive release</command>
- (provided in apt-utils).</para></listitem>
-
- <listitem><para><emphasis>Sign it</emphasis>. You can do this by running
- <command>gpg --clearsign -o InRelease Release</command> and
- <command>gpg -abs -o Release.gpg Release</command>.</para></listitem>
- <listitem><para><emphasis>Publish the key fingerprint</emphasis>,
- that way your users will know what key they need to import in
- order to authenticate the files in the
- archive.</para></listitem>
- </itemizedlist>
- <para>Whenever the contents of the archive change (new packages
- are added or removed) the archive maintainer has to follow the
- first two steps outlined above.</para>
- </refsect1>
- <refsect1><title>See Also</title>
- <para>
- &apt-conf;, &apt-get;, &sources-list;, &apt-key;, &apt-ftparchive;,
- &debsign;, &debsig-verify;, &gpg;
- </para>
- <para>For more background information you might want to review the
- <ulink
- url="http://www.debian.org/doc/manuals/securing-debian-howto/ch7">Debian
- Security Infrastructure</ulink> chapter of the Securing Debian Manual
- (available also in the harden-doc package) and the
- <ulink url="http://www.cryptnet.net/fdp/crypto/strong_distro.html"
- >Strong Distribution HOWTO</ulink> by V. Alex Brennen. </para>
- </refsect1>
- &manbugs;
- &manauthor;
- <refsect1><title>Manpage Authors</title>
- <para>This man-page is based on the work of Javier Fernández-Sanguino
- Peña, Isaac Jones, Colin Walters, Florian Weimer and Michael Vogt.
- </para>
- </refsect1>
-
- </refentry>
|