From d2793259e3dcf76e5c547a5eb72845211bc14905 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 11 Aug 2005 14:51:07 +0000 Subject: * added patch that adds a apt-secure man-page (thanks to jfs@computer.org) --- debian/apt.manpages | 1 + debian/changelog | 7 +- doc/apt-key.8.xml | 47 ++++++++++-- doc/apt-secure.8.xml | 200 +++++++++++++++++++++++++++++++++++++++++++++++++++ doc/apt.ent | 49 +++++++++++++ doc/makefile | 3 +- 6 files changed, 301 insertions(+), 6 deletions(-) create mode 100644 doc/apt-secure.8.xml diff --git a/debian/apt.manpages b/debian/apt.manpages index e621e1c49..b52ea3d3d 100644 --- a/debian/apt.manpages +++ b/debian/apt.manpages @@ -3,6 +3,7 @@ doc/apt-cdrom.8 doc/apt-config.8 doc/apt-get.8 doc/apt-key.8 +doc/apt-secure.8 doc/apt.8 doc/apt.conf.5 doc/apt_preferences.5 diff --git a/debian/changelog b/debian/changelog index 2086f76a6..0ed408fda 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,7 +9,12 @@ apt (0.6.40.2) unstable; urgency=low * Support architecture-specific extra overrides (closes: #225947). Thanks to Anthony Towns for idea and the patch, thanks to Colin Watson for testing it. - + * Javier Fernandez-Sanguino Pen~a: + - Added a first version of an apt-secure.8 manpage, and modified + apt-key and apt.end accordingly. Also added the 'update' + argument to apt-key which was previously not documented + (Closes: #322120) + -- apt (0.6.40.1) unstable; urgency=low diff --git a/doc/apt-key.8.xml b/doc/apt-key.8.xml index 62686618a..eac61307d 100644 --- a/doc/apt-key.8.xml +++ b/doc/apt-key.8.xml @@ -68,17 +68,56 @@ List trusted keys. + + + update + + + + Update the local keyring with the keyring of Debian archive + keys and removes from the keyring the archive keys which are no + longer valid. + + + + + + + + + Files + + /etc/apt/trusted.gpg + Keyring of local trusted keys, new keys will be added here. + + + /etc/apt/trustdb.gpg + Local trust database of archive keys. + + + /usr/share/keyrings/debian-archive-keyring.gpg + Keyring of Debian archive trusted keys. + + + /usr/share/keyrings/debian-archive-removed-keys.gpg + Keyring of Debian archive removed trusted keys. + + + + + - - - - +See Also + +&apt-get;, &apt-secure; + + &manbugs; &manauthor; diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml new file mode 100644 index 000000000..c1d46cb45 --- /dev/null +++ b/doc/apt-secure.8.xml @@ -0,0 +1,200 @@ + + +%aptent; + +]> + + + &apt-docinfo; + + + apt-secure + 8 + + + + + + + + + apt-secure + Archive authentication support for APT + + + Description + + Starting with version 0.6, apt contains code + that does signature checking of the Release file for all + archives. This ensures that packages in the archive can't be + modified by people who have no access to the Release file signing + key. + + + + If a package comes from a archive without a signature or with a + signature that apt does not have a key for that package is + considered untrusted and installing it will result in a big + warning. apt-get will currently only warn + for unsigned archives, future releases might force all sources + to be verified before downloading packages from them. + + + + The package frontends &apt-get;, &aptitude; and &synaptic; support this new + authentication feature. + + + + Trusted archives + + + The chain of trust from an apt archive to the end user is made up of + different steps. apt-secure is the last step in + this chain, trusting an archive does not mean that the packages + that you trust it do not contain malicious code but means that you + trust the archive maintainer. Its the archive maintainer + responsibility to ensure that the archive integrity is correct. + + + apt-secure does not review signatures at a + package level. If you require tools to do this you should look at + debsig-verify and + debsign (provided in the debsig-verify and + devscripts packages respectively). + + + The chain of trust in Debian starts when a maintainer uploads a new + package or a new version of a package to the Debian archive. This + upload in order to become effective needs to be signed by a key of + a maintainer within the Debian maintainer's keyring (available in + the debian-keyring package). Maintainer's keys are signed by + other maintainers following pre-established procedures to + ensure the identity of the key holder. + + + + Once the uploaded package is verified and included in the archive, + the maintainer signature is stripped off, an MD5 sum of the package + is computed and put in the Packages file. The MD5 sum of all of the + packages files are then computed and put into the Release file. The + Release file is then signed by the archive key (which is created + once a year and distributed through the FTP server. This key is + also on the Debian keyring. + + + + Any end user can check the signature of the Release file, extract the MD5 + sum of a package from it and compare it with the MD5 sum of the + package he downloaded. Prior to version 0.6 only the MD5 sum of the + downloaded Debian package was checked. Now both the MD5 sum and the + signature of the Release file are checked. + + + Notice that this is distinct from checking signatures on a + per package basis. It is designed to prevent two possible attacks: + + + + Network "man in the middle" + attacks. Without signature checking, a malicious + agent can introduce himself in the package download process and + provide malicious software either by controlling a network + element (router, switch, etc.) or by redirecting traffic to a + rogue server (through arp or DNS spoofing + attacks). + + Mirror network compromise. + Without signature checking, a malicious agent can compromise a + mirror host and modify the files in it to propage malicious + software to all users downloading packages from that + host. + + + However, it does not defend against a compromise of the + Debian master server itself (which signs the packages) or against a + compromise of the key used to sign the Release files. In any case, + this mechanism can complement a per-package signature. + + + User configuration + + apt-key is the program that manages the list + of keys used by apt. It can be used to add or remove keys although + an installation of this release will automatically provide the + default Debian archive signing keys used in the Debian package + repositories. + + + In order to add a new key you need to first download it + (you should make sure you are using a trusted communication channel + when retrieving it), add it with apt-key and + then run apt-get update so that apt can download + and verify the Release.gpg files from the archives you + have configured. + + + +Archive configuration + + If you want to provide archive signatures in an archive under your + maintenance you have to: + + + + Create a toplevel Release + file. if it does not exist already. You can do this + by running apt-ftparchive release + (provided inftp apt-utils). + + Sign it. You can do this by running + gpg -abs -o Release.gpg Release. + + Publish the key fingerprint, + that way your users will know what key they need to import in + order to authenticate the files in the + archive. + + + + Whenever the contents of the archive changes (new packages + are added or removed) the archive maintainer has to follow the + first two steps previously outlined. + + + +See Also + +&apt-conf;, &apt-get;, &sources-list;, &apt-key;, &apt-archive;, +&debsign; &debsig-verify;, &gpg; + + +For more backgound information you might want to review the +Debian +Security Infrastructure chapter of the Securing Debian Manual +(available also in the harden-doc package) and the +Strong Distribution HOWTO by V. Alex Brennen. + + + + &manbugs; + &manauthor; + + + diff --git a/doc/apt.ent b/doc/apt.ent index 8054a25f6..cf22df6d2 100644 --- a/doc/apt.ent +++ b/doc/apt.ent @@ -44,6 +44,25 @@ " > + + apt-key + 8 + " +> + + + apt-secure + 8 + " +> + + + apt-archive + 1 + " +> + + sources.list 5 @@ -91,6 +110,36 @@ 8 " > + + + aptitude + 8 + " +> + + + synaptic + 8 + " +> + + + debsign + 1 + " +> + + + debsig-verify + 1 + " +> + + + gpg + 1 + " +>