[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

gnupg, digital certificates, and apt

Sometime ago, I was reading an article by Kurt Seifried at
securityportal.com regarding debian not using digital certificates for
their packages, and how this affected security.  Being a debian user,
and an admirer of apt in particular, I have often thought about how this
functionality could be added to apt.  I am only an intermediate
programmer myself, however.

I was wondering if there were any plans to incorporate digital
certificate checking with apt?

I had an idea where gnupg could be used.  Have each debian maintainer
have generate a gnupg key pair that is for use with debian.  Make their
public keys available on a debian public keyring.  Then, the maintainers
can encrypt the md5 checksum that they would normally generate for the
Packages.gz file with their debian gnupg secret key.  So that
Packages.gz would not have to change, a Packages.md5.gz file could be
created which would contain this encrypted md5 sum.  Apt could then be
modified to be given a flag (like 'secure') that can be used to download
this encrypted key, then decrypt it with the public key from the
maintainer, and get the checksum that way.

Perhaps there would be a better way to do this, however, this solution
does not change the Packages.gz format (though of course a more elegant
solution would), and apt would not be required to use the new secure
option (I am thinking about US export laws, etc).  This would retain
backward compatibility, and added security at a relatively low cost (a
few extra files on the mirror sites, the debian public key ring, eand of
course some coding!).  To comply with US export laws, there could be two
versions of apt: apt and apt-gnupg.  Apt would remain the same (ie
compiled without the added security feature above).  Apt-gnupg would
then depend on gnupg, and during the install of apt-gnupg the gnupg
public key rings would of course have to be downloaded to initialize apt
for decryption of the checksum.

I also thought about openssl, however I thought that this solution would
be better because there is no cost involved in using gnupg, but there is
in getting a certificate used for verification with openssl.

Please let me know if I am way off base or if digital signatures are in
the works for apt, so I can stop thinking about it!  :-)

Thanks,

James Strandboge
Reply to: