Jeff Abrahamson on 24 Jan 2006 14:38:26 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] secure apt


On Mon, Jan 23, 2006 at 05:43:08PM -0500, sean finney wrote:
>   [39 lines, 271 words, 1579 characters]  Top characters: etainroh
> 
> hey jeff,
> 
> On Mon, Jan 23, 2006 at 04:32:57PM -0500, Jeff Abrahamson wrote:
> > I want to check that I've understood this correctly from reading
> > debian docs.  The new version of apt pays attention to gpg signatures,
> > but debs are not currently being signed.  It's recommended, then, that
> > I ignore this error on "apt-get install":
> 
> the debs are not signed[1], but this isn't what apt is checking.
> apt performs it's verification via the Release file, which is signed
> with the debian archive signing key.  the Release file contians a list
> of Packages and Sources files and their sizes/md5sums.  these files
> then in turn carry the md5sums of the binary and source packages.  so,
> if the size/md5sum on the package matches the entry in Packages, and
> the md5sum of Packages matches what's in Release, and the signature of
> Release is good, then apt is happy.

Ah, I see.  I was confused on that.  Thanks.


> of course, apt has to know about the archive signing key in
> the first place, which is what i think your problem is.
> 
> >     Install these packages without verification [y/N]? y
> 
> what's the output of apt-key list?

  astra:/home/jeff# apt-key list
  /etc/apt/trusted.gpg
  --------------------
  pub   1024R/1DB114E0 2004-01-15 [expired: 2005-01-27]
  uid                  Debian Archive Automatic Signing Key (2004) <ftpmaster@debian.org>

  pub   1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]
  uid                  Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>

  pub   1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
  uid                  Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>

  astra:/home/jeff#

Note that I imported the key Steve Gran suggested, but I do still get
errors.  For example,

    astra:/home/jeff# apt-get install apt-file
    Reading package lists... Done
    Building dependency tree... Done
    The following extra packages will be installed:
      libconfigfile-perl
    The following NEW packages will be installed:
      apt-file libconfigfile-perl
    0 upgraded, 2 newly installed, 0 to remove and 512 not upgraded.
    Need to get 18.2kB of archives.
    After unpacking 111kB of additional disk space will be used.
    Do you want to continue [Y/n]?
    WARNING: The following packages cannot be authenticated!
      libconfigfile-perl apt-file
    Install these packages without verification [y/N]?
    E: Some packages could not be authenticated
    astra:/home/jeff#

So I'm still somewhat confused.


> > I want to be very careful about this, because it's initially difficult
> > to differentiate a bad signature from a broken secure apt.
> 
> if the signature is bad, you'll get a seperate error i believe.  if
> there's no signature, or if the signature is not in your trusted
> keyring, you'll get a message like the above.

-- 
 Jeff

 Jeff Abrahamson  <http://www.purple.com/jeff/>    +1 215/837-2287
 GPG fingerprint: 1A1A BA95 D082 A558 A276  63C6 16BF 8C4C 0D1D AE4B

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug