/usr/share/doc/aptitude/html/en/ch02s02s05.html is in aptitude-doc-en 0.8.10-6ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 | <?xml version="1.0" encoding="utf-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Understanding and managing package trust</title><link rel="stylesheet" type="text/css" href="aptitude.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="home" href="index.html" title="aptitude user's manual" /><link rel="up" href="ch02s02.html" title="Managing packages" /><link rel="prev" href="ch02s02s04.html" title="Downloading, installing, and removing packages" /><link rel="next" href="ch02s02s06.html" title="Managing automatically installed packages" /><link rel="preface" href="pr01.html" title="Introduction" /><link rel="chapter" href="ch01.html" title="Chapter 1. Getting started" /><link rel="chapter" href="ch02.html" title="Chapter 2. aptitude reference guide" /><link rel="chapter" href="ch03.html" title="Chapter 3. aptitude frequently asked questions" /><link rel="chapter" href="ch04.html" title="Chapter 4. Credits" /><link rel="reference" href="rn01.html" title="Command-line reference" /><link rel="refentry" href="rn01re01.html" title="aptitude" /><link rel="refentry" href="rn01re02.html" title="aptitude-create-state-bundle" /><link rel="refentry" href="rn01re03.html" title="aptitude-run-state-bundle" /><link rel="subsection" href="ch02s02s05.html#idm1858" title="Understanding trust" /><link rel="subsection" href="ch02s02s05.html#idm1883" title="Trusting additional keys" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Understanding and managing package trust</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch02s02s04.html"><img src="images/prev.gif" alt="Prev" /></a> </td><th width="60%" align="center">Managing packages</th><td width="20%" align="right"> <a accesskey="n" href="ch02s02s06.html"><img src="images/next.gif" alt="Next" /></a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="secTrust"></a>Understanding and managing package trust</h3></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="ch02s02s05.html#idm1858">Understanding trust</a></span></dt><dt><span class="section"><a href="ch02s02s05.html#idm1883">Trusting additional keys</a></span></dt></dl></div><p>
<code class="systemitem">apt</code>'s ability to access multiple package sources leads to
a potential security vulnerability. Suppose you add an
archive of packages published by Joe Random Hacker to your
<code class="filename">sources.list</code> file in order to install
Joe's <code class="systemitem">gargleblast</code> package. It is
possible, however, that -- unbeknownst to you -- Joe's
archive also contains his own <span class="quote">“<span class="quote">customized</span>”</span>
versions of packages such as <code class="systemitem">libc6</code>
and <code class="systemitem">ssh</code>...versions that steal your
private information or open backdoors on your system! If
these packages have higher version numbers than the
legitimate Debian packages, <code class="systemitem">apt</code> will blithely install them
on your system during your next upgrade, allowing Joe to do
his dirty work undetected. Joe could also break into your
mirror of the Debian archives and replace the legitimate
software with his doctored version.
</p><p>
Luckily, newer versions of <code class="systemitem">apt</code> and <span class="command"><strong>aptitude</strong></span>, such as the
version documented in this manual, have built-in safeguards
to help defeat this type of attack. <code class="systemitem">apt</code> uses strong
security mechanisms based on the popular <a class="ulink" href="http://www.gnupg.org" target="_top">GPG</a> encryption software
to verify that the packages being distributed from the
official Debian mirrors are the same packages that were
uploaded by the Debian developers. <span class="command"><strong>aptitude</strong></span> will then
warn you if you attempt to install a package from a
non-Debian source, or if you attempt to upgrade a package
that was installed from a Debian source to a version that
came from a non-Debian source.
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="images/warning.png" /></td><th align="left">Warning</th></tr><tr><td align="left" valign="top"><p>
The security mechanisms in <code class="systemitem">apt</code> provide a near-perfect
guarantee that the contents of your archive mirror are
identical to the contents of the master Debian archive.
However, they are not a panacea: for instance, there are
many ways that a tampered package could theoretically find
its way into the master Debian archive.
</p><p>
Ensuring that you only install software from a trusted
source will give you an important degree of protection
against malicious packages, but it cannot eliminate all
the risks inherent in installing software.
</p></td></tr></table></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idm1858"></a>Understanding trust</h4></div></div></div><p>
<code class="systemitem">apt</code> allows the administrator of an archive to provide a
<em class="firstterm">signature</em> of the archive's index.
This signature, which (for all practical purposes) cannot
be forged, indicates that the package files listed in the
index are the same files that the administrator intended
to place in the archive: ie, that the contents of the
archive have not been tampered with since it was
created.<a href="#ftn.idm1863" class="footnote" id="idm1863"><sup class="footnote">[9]</sup></a> The signature can
be validated by checking that it corresponds to the
administrator's <em class="firstterm">public key</em>. The
public key of the Debian archive is distributed with
<code class="systemitem">apt</code>, typically on your Debian CD.
</p><p>
When <span class="command"><strong>aptitude</strong></span> downloads an archive index, it will check
whether the index is properly signed. If it is unsigned,
<span class="command"><strong>aptitude</strong></span> will not trust package files from that
archive. (see below for information on what this means) If
it has a signature but the signature is incorrect or
cannot be verified, a warning will be printed and
<span class="command"><strong>aptitude</strong></span> will refuse to trust packages from that
archive.
</p><p>
Later, when you perform an <a class="link" href="ch02s02s04.html" title="Downloading, installing, and removing packages">install run</a>, <span class="command"><strong>aptitude</strong></span>
will check whether the packages are from trusted sources.
If an untrusted package is being installed, or a package
is being upgraded from a trusted to an untrusted version,
a warning will be displayed and you will have the
opportunity to abort the download:
</p><div class="screenshot"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" style="cellpadding: 0; cellspacing: 0;" width="100%"><tr><td><img src="images/trust-snapshot.png" width="100%" alt="[untrusted packages/versions warning]" /></td></tr></table><div class="longdesc-link" align="right"><br clear="all" /><span class="longdesc-link">[<a href="ld-idm1876.html" target="longdesc">D</a>]</span></div></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idm1883"></a>Trusting additional keys</h4></div></div></div><p>
You might find it useful to allow <code class="systemitem">apt</code> to trust
additional archives, besides the main Debian archive. For
each archive that you want to trust, you will have to
acquire the public key that is used to sign the archive's
package index. This is typically a text file whose name
ends in <code class="filename">.asc</code>; it might be provided by
the site administrator or downloadable from a public
keyserver. For more information on what public keys are
and how to get them, see the <a class="ulink" href="http://www.gnupg.org" target="_top">GPG web page</a>.
</p><p>
The list of keys that apt will trust is stored in the
<em class="firstterm">keyring file</em>
<code class="filename">/etc/apt/trusted.gpg</code>. Once you have
the GPG key, you can add it to this file by executing the
command <span class="command"><strong>gpg --no-default-keyring --keyring
/etc/apt/trusted.gpg --import
<em class="replaceable"><code>newkey.asc</code></em></strong></span>.
<span class="command"><strong>aptitude</strong></span> will then trust any archive that is signed with
the key contained in <code class="filename">newkey.asc</code>.
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="images/warning.png" /></td><th align="left">Warning</th></tr><tr><td align="left" valign="top"><p>
Once an archive's key has been added to the APT keyring,
it will be trusted just as much as the main Debian
mirrors themselves! You should only do this if you are
very confident that the key you are adding is correct
<span class="emphasis"><em>and</em></span> that the person who holds the
key is trustworthy and competent.
</p></td></tr></table></div></div><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div id="ftn.idm1863" class="footnote"><p><a href="#idm1863" class="para"><sup class="para">[9] </sup></a>As noted above, it does
<span class="emphasis"><em>not</em></span> indicate that the packages in the
archive are secure, or even non-malicious; it merely shows
that they are genuine.</p></div></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch02s02s04.html"><img src="images/prev.gif" alt="Prev" /></a> </td><td width="20%" align="center"><a accesskey="u" href="ch02s02.html"><img src="images/up.gif" alt="Up" /></a></td><td width="40%" align="right"> <a accesskey="n" href="ch02s02s06.html"><img src="images/next.gif" alt="Next" /></a></td></tr><tr><td width="40%" align="left" valign="top">Downloading, installing, and removing packages </td><td width="20%" align="center"><a accesskey="h" href="index.html"><img src="images/home.gif" alt="Home" /></a></td><td width="40%" align="right" valign="top"> Managing automatically installed packages</td></tr></table></div></body></html>
|