Re: Install process certification

To: debian-security@lists.debian.org
Subject: Re: Install process certification
From: paddy@panici.net
Date: Fri, 4 Jan 2008 17:22:42 +0000
Message-id: <[🔎] 20080104172242.GA1883@localhost.localdomain>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 597077.1966.qm@web28004.mail.ukl.yahoo.com>
References: <[🔎] 597077.1966.qm@web28004.mail.ukl.yahoo.com>

On Fri, Jan 04, 2008 at 11:15:35AM +0000, Keyser S?ze wrote:
> Hi
> 
> I'd like to know whether it's possible to check the signature of a Debian (Etch) install CD, at the earliest stage of the install process.
> Indeed, right after the base-installer unpacks the base system files, apt loads the contents of the CD and checks the Release.gpg signature against the Release file.
> Two problems, however:
> - apt will complain if the signature is wrong, but won't if the Release.gpg file is not even present on the CD;
> - this procedure excludes the udebs loaded by debian-installer
> 
> So, is there a way to secure the whole install process (I mean, besides manual checking)? I noticed that gpgv is among the default udebs, what is it used for?

Perhaps I don't understand "manual checking".

Would you be satisfied by checking a signature of a checksum of the CD
against a public key that you trust ?

http://www.debian.org/CD/faq/#verify

Regards,
Paddy

Reply to:

References:
- Install process certification
  - From: Keyser Söze <keysersoze_sec@yahoo.fr>

Prev by Date: Re: ping22: can not kill this process
Next by Date: Re: ping22: can not kill this process
Previous by thread: Install process certification
Next by thread: Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities
Index(es):
- Date
- Thread