diff options
| author | Michael Vogt <michael.vogt@ubuntu.com> | 2005-11-16 16:21:04 +0000 |
|---|---|---|
| committer | Michael Vogt <michael.vogt@ubuntu.com> | 2005-11-16 16:21:04 +0000 |
| commit | 7230ad48a5c7766281c824c7373ecc8900e25995 (patch) | |
| tree | 15a6dc1171c9d2b9696b67c22c1b5d4c6c863a75 /doc/apt-secure.8.xml | |
| parent | 74a05226eff7041cd8f2380fe599862d350a1ac3 (diff) | |
| parent | 7e15443375875a15babd8bc35eeaef2785a06374 (diff) | |
* merged with apt--mvo--0
Patches applied:
* apt@packages.debian.org/apt--sources-list-d--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-30
* apt@packages.debian.org/apt--sources-list-d--0--patch-1
Patch from apt-rpm via Michael Vogt to implement /etc/apt/sources.list.d
* bubulle@debian.org--2005/apt--main--0--patch-96
Sync with Matt
* bubulle@debian.org--2005/apt--main--0--patch-97
Merge with Matt
* bubulle@debian.org--2005/apt--main--0--patch-98
Update PO files with the POT
* bubulle@debian.org--2005/apt--main--0--patch-99
Added Galician translation
* bubulle@debian.org--2005/apt--main--0--patch-100
Completed Danish translation
* bubulle@debian.org--2005/apt--main--0--patch-101
Merge with Matt
* bubulle@debian.org--2005/apt--main--0--patch-102
Merge with Michael Vogt's archive
* bubulle@debian.org--2005/apt--main--0--patch-103
Update the POT files and all PO files to resync with recent code
* bubulle@debian.org--2005/apt--main--0--patch-104
French translation completed
* bubulle@debian.org--2005/apt--main--0--patch-105
Proofread by Fred Bothamy
* bubulle@debian.org--2005/apt--main--0--patch-106
Merge with mvo
* bubulle@debian.org--2005/apt--main--0--patch-107
Italian translation corrected
* bubulle@debian.org--2005/apt--main--0--patch-108
Italian translation update
* bubulle@debian.org--2005/apt--main--0--patch-109
Italian translation completed
* bubulle@debian.org--2005/apt--main--0--patch-110
Swedish translation update
* bubulle@debian.org--2005/apt--main--0--patch-111
Merge with Michael
* bubulle@debian.org--2005/apt--main--0--patch-112
Swedish translation completed
* bubulle@debian.org--2005/apt--main--0--patch-113
Silly update to French translation (testing)
* bubulle@debian.org--2005/apt--main--0--patch-114
Basque translation update
* bubulle@debian.org--2005/apt--main--0--patch-115
Basque translation completed
* bubulle@debian.org--2005/apt--main--0--patch-116
Merge with Michael
* bubulle@debian.org--2005/apt--main--0--patch-117
Merge with Michael
* bubulle@debian.org--2005/apt--main--0--patch-118
Russian translation update by Yuri Kozlov
* bubulle@debian.org--2005/apt--main--0--patch-119
Merge with Michael and add update-po as a pre-req for binary
* bubulle@debian.org--2005/apt--main--0--patch-120
Re-generate all PO Files
* bubulle@debian.org--2005/apt--main--0--patch-121
Complete French translation
* bubulle@debian.org--2005/apt--main--0--patch-122
Correct typography in French translation
* bubulle@debian.org--2005/apt--main--0--patch-123
Spelling fix for consistency in French translation
* bubulle@debian.org--2005/apt--main--0--patch-124
Merge with Michael
* bubulle@debian.org--2005/apt--main--0--patch-125
Fixed localization of y/n questions in German translation
* bubulle@debian.org--2005/apt--main--0--patch-126
Swedish translation update
* bubulle@debian.org--2005/apt--main--0--patch-127
Complete Tagalog translation / Add Changelog
* bubulle@debian.org--2005/apt--main--0--patch-128
Danish translation update
* bubulle@debian.org--2005/apt--main--0--patch-129
Basque translation update
* bubulle@debian.org--2005/apt--main--0--patch-130
Galician translation completed
* bubulle@debian.org--2005/apt--main--0--patch-131
Simplified Chinese translation update
* michael.vogt@ubuntu.com--2005/apt--bts225947--0--patch-5
* merged with apt--main--0
* michael.vogt@ubuntu.com--2005/apt--bts225947--0--patch-6
* fixed a incorrect po/he.po merge
* michael.vogt@ubuntu.com--2005/apt--cdrom-fallback--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-110
* michael.vogt@ubuntu.com--2005/apt--cdrom-fallback--0--patch-1
* initial patch to make falling back from cdrom possible
* michael.vogt@ubuntu.com--2005/apt--cdrom-fallback--0--patch-2
* fix in methods/cdrom.cc: don't call Fail() but return false so that apt can fallback to a differencent source
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-10
* fix a bug in a man-page, fix a problem with overly long lines in apt-cdrom
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-11
* merged with apt--main--0
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-12
* fix a incorrect error message (it always added .gz regardless what was downloaded)
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-13
* merged with main
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-14
* added Hashsum support for file and cdrom
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-15
* added README.arch
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-16
* merged with main
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-17
* move the changelog to the right place
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-18
* Change pkgPolicy::Pin from private to protected
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-19
* added a default constructor for PrvIterator
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-20
* applied otavios patch to reread the statusFile on debSystem::Initialize
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-33
* merged with matt's tree
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-34
* merged with matts tree
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-35
* build debian and ubuntu package from the same source
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-36
* added debian/patches dir
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-37
* fix the breakage from my last commit (note to self: always, _always_ run baz diff before a commit)
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-38
* removed the lsb_release build patch (nobody except me seems to like it)
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-39
* merged from main
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-40
* merged the apt--sane-handle-timeout--0 branch
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-41
* merged apt--bts225947--0
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-42
* merged with apt--main
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-43
* added patch that adds a apt-secure man-page (thanks to jfs@computer.org)
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-44
* added author credits
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-45
* added apt-ftparchive.conf example
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-46
* corrected the utf8 of javier fernandes pena
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-47
* improve the timeout handling (again)
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-48
* merged with apt--fixes--0
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-49
* README.arch updates, comment in apt-pkg/algorithm.h added, apt-pkg/cacheiterators.h order in initlist changed to remove warning
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-50
* meda-change message is send over status-fd now
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-51
* include a human readable string for the MediaChange status-fd message as well
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-52
* finalizing changelog
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-53
* check ctime as well in cron.daily when cleaning up packages in apt.cron.daily
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-54
* fix a stupid typo in apt.cron.daily
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-55
* fix apt-pkg/cdrom.cc to umount the cdrom again if anything fails
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-56
* merged from apt--cdrom-fallback--0
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-57
* changelog update
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-58
* better error string for a failed dpkg-source
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-59
* make sure that the pkgRecords D'tor does not segfault
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-60
* merged updated french man-page
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-61
* merged with bubulle
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-62
* leak fix for debian #250583
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-63
* changelog update
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-64
* merged with bubulle
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-65
* inital support for "apt-get source -t dist" (but no downgrades yet
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-66
* full support for apt-get source -t now (and honor pining too)
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-67
* added APT::Authentication::Trust-CDROM option
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-68
* fix a crash in apt-ftparchive
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-69
* sparc64 alignment fix
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-70
* fix segfault when there is no Archive for a VerFile
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-71
* don't get candidate release as version tag for FindSrc by default. because it break for bin-NMUs :/ (e.g. dpkg source is 1.13.11, but i386 version string is 1.13.11.0.1)
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-72
* corrections in the changelog
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-73
* init the default ScreenWidth to 79 columns by default (Closes: #324921)
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-74
apt-cdrom.cc:fix some missing gettext() calls (closes: #334539); doc/apt-cache.8.xml: fix typo (closes: #334714)
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-75
* seting section to "admin" to match override file
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-76
* finalized the changelog
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-77
* renamed Trust-CDROM to TrustCDROM to make it consistent with ubuntu
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-78
* fix a incorrect example
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-79
* revert patch from patch-59, causes all sorts of trouble
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-80
* fix changelog
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-81
* be extra carefull in cmdline/apt-get.cc:FindSrc() and check VF.File() for NULL
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-82
* merged with bubulle
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-83
* cmdline/apt-get.cc: fix bug in FindSrc() (debian #335213)
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-84
* added armeb to archtable
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-85
* merged with bubulle, changelog updates
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-86
* merged the NMU from Franz Pop, fixed armeb problem (#333599)
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-87
* removed double armeb entry in buildlib/sizetable
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-88
* finalized changelog
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-89
* turn off "secure-acquire" when --allow-unauthenticated is given
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-90
* merged the sources.list.d patch
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-91
* merged with bubulle
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-92
* changelog update
* michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-93
* sources.list.d documented
* michael.vogt@ubuntu.com--2005/apt--sane-handle-timeout--0--patch-3
* merged with main
* michael.vogt@ubuntu.com--2005/apt--trust-cdrom--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-79
* michael.vogt@ubuntu.com--2005/apt--trust-cdrom--0--patch-1
* implemented "TrustCDROM" mode
* michael.vogt@ubuntu.com--2005/apt--trust-cdrom--0--patch-2
* added APT::Authentication::TrustCDROM to the configure-index
* otavio@debian.org--2005/apt--fixes--0--patch-28
Reread status configuration, needed for clients using independent apt ...
* philippe.batailler@free.fr--2005/VOGTapt--mvo--0--patch-1
French L10N update
* philippe.batailler@free.fr--2005/VOGTapt--mvo--0--patch-2
Generate correctly french manpages
Diffstat (limited to 'doc/apt-secure.8.xml')
| -rw-r--r-- | doc/apt-secure.8.xml | 209 |
1 files changed, 209 insertions, 0 deletions
diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml new file mode 100644 index 000000000..e22446030 --- /dev/null +++ b/doc/apt-secure.8.xml @@ -0,0 +1,209 @@ +<?xml version="1.0" encoding="utf-8" standalone="no"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ + +<!ENTITY % aptent SYSTEM "apt.ent"> +%aptent; + +]> + +<refentry> + &apt-docinfo; + + <refmeta> + <refentrytitle>apt-secure</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + +<!-- NOTE: This manpage has been written based on the + Securing Debian Manual ("Debian Security + Infrastructure" chapter) and on documentation + available at the following sites: + http://wiki.debian.net/?apt06 + http://www.syntaxpolice.org/apt-secure/ + http://www.enyo.de/fw/software/apt-secure/ +--> +<!-- TODO: write a more verbose example of how it works with + a sample similar to + http://www.debian-administration.org/articles/174 + ? +--> + + + <!-- Man page title --> + <refnamediv> + <refname>apt-secure</refname> + <refpurpose>Archive authentication support for APT</refpurpose> + </refnamediv> + + <refsect1><title>Description</title> + <para> + Starting with version 0.6, <command>apt</command> contains code + that does signature checking of the Release file for all + archives. This ensures that packages in the archive can't be + modified by people who have no access to the Release file signing + key. + </para> + + <para> + If a package comes from a archive without a signature or with a + signature that apt does not have a key for that package is + considered untrusted and installing it will result in a big + warning. <command>apt-get</command> will currently only warn + for unsigned archives, future releases might force all sources + to be verified before downloading packages from them. + </para> + + <para> + The package frontends &apt-get;, &aptitude; and &synaptic; support this new + authentication feature. + </para> +</refsect1> + + <refsect1><title>Trusted archives</title> + + <para> + The chain of trust from an apt archive to the end user is made up of + different steps. <command>apt-secure</command> is the last step in + this chain, trusting an archive does not mean that the packages + that you trust it do not contain malicious code but means that you + trust the archive maintainer. Its the archive maintainer + responsibility to ensure that the archive integrity is correct. + </para> + + <para>apt-secure does not review signatures at a + package level. If you require tools to do this you should look at + <command>debsig-verify</command> and + <command>debsign</command> (provided in the debsig-verify and + devscripts packages respectively).</para> + + <para> + The chain of trust in Debian starts when a maintainer uploads a new + package or a new version of a package to the Debian archive. This + upload in order to become effective needs to be signed by a key of + a maintainer within the Debian maintainer's keyring (available in + the debian-keyring package). Maintainer's keys are signed by + other maintainers following pre-established procedures to + ensure the identity of the key holder. + </para> + + <para> + Once the uploaded package is verified and included in the archive, + the maintainer signature is stripped off, an MD5 sum of the package + is computed and put in the Packages file. The MD5 sum of all of the + packages files are then computed and put into the Release file. The + Release file is then signed by the archive key (which is created + once a year and distributed through the FTP server. This key is + also on the Debian keyring. + </para> + + <para> + Any end user can check the signature of the Release file, extract the MD5 + sum of a package from it and compare it with the MD5 sum of the + package he downloaded. Prior to version 0.6 only the MD5 sum of the + downloaded Debian package was checked. Now both the MD5 sum and the + signature of the Release file are checked. + </para> + + <para>Notice that this is distinct from checking signatures on a + per package basis. It is designed to prevent two possible attacks: + </para> + + <itemizedlist> + <listitem><para><literal>Network "man in the middle" + attacks</literal>. Without signature checking, a malicious + agent can introduce himself in the package download process and + provide malicious software either by controlling a network + element (router, switch, etc.) or by redirecting traffic to a + rogue server (through arp or DNS spoofing + attacks).</para></listitem> + + <listitem><para><literal>Mirror network compromise</literal>. + Without signature checking, a malicious agent can compromise a + mirror host and modify the files in it to propage malicious + software to all users downloading packages from that + host.</para></listitem> + </itemizedlist> + + <para>However, it does not defend against a compromise of the + Debian master server itself (which signs the packages) or against a + compromise of the key used to sign the Release files. In any case, + this mechanism can complement a per-package signature.</para> +</refsect1> + + <refsect1><title>User configuration</title> + <para> + <command>apt-key</command> is the program that manages the list + of keys used by apt. It can be used to add or remove keys although + an installation of this release will automatically provide the + default Debian archive signing keys used in the Debian package + repositories. + </para> + <para> + In order to add a new key you need to first download it + (you should make sure you are using a trusted communication channel + when retrieving it), add it with <command>apt-key</command> and + then run <command>apt-get update</command> so that apt can download + and verify the <filename>Release.gpg</filename> files from the archives you + have configured. + </para> +</refsect1> + +<refsect1><title>Archive configuration</title> + <para> + If you want to provide archive signatures in an archive under your + maintenance you have to: + </para> + + <itemizedlist> + <listitem><para><literal>Create a toplevel Release + file</literal>. if it does not exist already. You can do this + by running <command>apt-ftparchive release</command> + (provided inftp apt-utils).</para></listitem> + + <listitem><para><literal>Sign it</literal>. You can do this by running + <command>gpg -abs -o Release.gpg Release</command>.</para></listitem> + + <listitem><para><literal>Publish the key fingerprint</literal>, + that way your users will know what key they need to import in + order to authenticate the files in the + archive.</para></listitem> + + </itemizedlist> + + <para>Whenever the contents of the archive changes (new packages + are added or removed) the archive maintainer has to follow the + first two steps previously outlined.</para> + +</refsect1> + +<refsect1><title>See Also</title> +<para> +&apt-conf;, &apt-get;, &sources-list;, &apt-key;, &apt-archive;, +&debsign; &debsig-verify;, &gpg; +</para> + +<para>For more backgound information you might want to review the +<ulink +url="http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html">Debian +Security Infrastructure</ulink> chapter of the Securing Debian Manual +(available also in the harden-doc package) and the +<ulink url="http://www.cryptnet.net/fdp/crypto/strong_distro.html" +>Strong Distribution HOWTO</ulink> by V. Alex Brennen. </para> + +</refsect1> + + &manbugs; + &manauthor; + +<refsect1><title>Manpage Authors</title> + +<para>This man-page is based on the work of Javier Fernández-Sanguino +Peña, Isaac Jones, Colin Walters, Florian Weimer and Michael Vogt. +</para> + +</refsect1> + + +</refentry> + |