apt authentication

Michael Vogt michael.vogt at canonical.com
Thu Nov 25 14:33:59 CST 2004 

Dear Friends,


I would like to raise some questions regarding the support for gpg
signed repositories. The apt-secure patch that supports them was
merged into the apt--authentication arch branch [1] and the patch is
used in debian/experimental for some time now. From a pure technical
point of view it should be ready.

The outstanding issue is the key-management. Matt raised the following
questions [2]:
1) How will keys be provided in a fresh install?
2) How will keys be authenticated?
3) How will new and updated keys be distributed to existing installations?
4) How will keys revocations be processed?

The current version will ship with a gpg-keyring in the tarball that
contains the debian archive signing key. If no keyring is present it
will install the key in /etc/apt/trusted.gpg. If that file is present
it will do nothing.

It will not depend on gpg but only suggest it. This is because it is
fully functional without gpg.

As a example I looked at how Conectiva solves the problems 1-4. They
use a forked version of apt-secure for some time now and they handle
the key distribution issue a bit different. They do not ship with a
keyring. They only have it on the install cd. There archive key is
signed by a number of connectiva developers [3]. I have not found out
how they handle revocation or new keys. Apparently Conectiva Linux 10
uses a key created in 2000.

URPMI seems to solve the problem by having a pubkey file in the
repository. It's then just downloaded and used. This (and any form of
automatic key-updates) looks very dangerous as a attacker that
e.g. captured a mirror may just sneak in a new pubkey file and sign
his rogue packages with that.



thanks,
 Michael


[1] apt at packages.debian.org/apt--authentication--0 at
    http://people.debian.org/~mdz/arch
[2] https://www.ubuntulinux.org/wiki/APTAuthentication
[3] http://distro.conectiva.com.br/seguranca/chave/?idioma=en

-- 
The first rule of holes is: when you find yourself in one, stop digging. - PJ
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

More information about the ubuntu-devel mailing list