33

One of the easy ways to install a program in Ubuntu Linux is to type a command in the terminal, but how do I know that the program is coming from a trusted source and not from somewhere dangerous? For example, if I was installing ClamAV, how do I know ClamAV came from www.clamav.net or somewhere safe and not from a malicious source? I mean, a hacker can do something to redirect the command to make it get the software from a fake site, correct?

Improve this question
1

2 Answers 2

Reset to default
58

As with many well-designed systems, the package system of Debian has defense in depth: multiple layers, each of which can be verified.

  • How do we trust the package file is what the system promises? The hash value is computed and compared against the stored value.

  • How do we trust the hash value isn't accidentally matching some other file? Multiple hash algorithms are used, and only if all those match the stored values do we trust the content actually matches.

  • How do we trust the stored values are meant for the package file we downloaded? The hash values are downloaded in a separate file (the various Packages.* files) pre-computed automatically by the archive system.

  • How do we trust the downloaded Packages.* files are what is promised by the system? The hash value for each file is stored in a single Release file for the whole archive.

  • How do we trust that the Release file is what is promised by the system? The cryptographic signature is computed, and compared against the separately-downloaded pre-computed signature from the archive.

  • How do we trust the signatures stored in the archive are actually from the archive we expected? It is certified by an archive key which we can fetch independently from a separate URL, and is installed in the initial set-up of the operating system.

And so on. At some point in the chain you have to trust some part of (and party in) the system, on less-than-ideal evidence.

With the above layers, the low-evidence trust window can be kept small and easily-scrutinised. The one-way hashes, and cryptographic signatures, allow us to trust the mathematics to certify what follows in sequence.

The Debian wiki has a good, comprehensive description of how the APT system is secured.

Of course, many other things can go wrong by mistake or malice, and violate our assumptions about what is actually happening. As usual, the only persistent defense against possible attacks is: eternal vigilance.

Improve this answer
3
  • 3
    Nice answer! It would be even better if you could add some reference links.
    – Neil Smithline
    Commented Dec 29, 2015 at 2:03
  • 9
    It gets more complicated when problematic license terms prevent the packages from containing all the code they need and instead contain a script to download the rest of the code.
    – kasperd
    Commented Dec 29, 2015 at 17:22
  • 2
    I joined this community just to give you an upvote. Nice.
    – JonH
    Commented Dec 29, 2015 at 17:38
2

apt-get has a list of trusted gpg-keys. apt-get install downloads the packages from repository (mirror) servers, normally not the server of the author of the software. To ensure authenticity each package is signed with gpg. The package is only installed if the signature is trusted. So even in the case of a MITM-attack the signature-check will fail if the package is modified.

Improve this answer
5
  • 1
    Most packages are not signed. See blog.packagecloud.io/eng/2014/10/28/….
    – Neil Smithline
    Commented Dec 28, 2015 at 23:42
  • 1
    @NeilSmithline help.ubuntu.com/community/SecureApt seems to say otherwise? For me it also seems a more trustworthy source of information. From what I understand one of the difference between the 2 sites is, that packagecloud talks about packages signed by the developer and ubuntu.com talks about the the package list with the MD5-sums of all packages-files beeing signed by the repository.
    – H. Idden
    Commented Dec 29, 2015 at 0:10
  • 2
    @NeilSmithline - question is about Ubuntu not Debian. AFAIK all official Ubuntu packages are signed
    – paj28
    Commented Dec 29, 2015 at 11:08
  • @paj28 doesn't Ubuntu ship Debian packages? Do they sign them before doing such?
    – Neil Smithline
    Commented Dec 29, 2015 at 16:16
  • @paj28 the packages sources are signed, binaries aren't. What is signed in the binaries are the repositories.
    – Braiam
    Commented Dec 29, 2015 at 16:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .