[apt.git] / doc / apt-secure.8.xml

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % aptent SYSTEM "apt.ent"> %aptent;
<!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment;
<!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor;
]>

<refentry>
 <refentryinfo>
   &apt-author.jgunthorpe;
   &apt-author.team;
   &apt-email;
   &apt-product;
   <!-- The last update date -->
   <date>2016-03-18T00:00:00Z</date>
 </refentryinfo>

 <refmeta>
   <refentrytitle>apt-secure</refentrytitle>
   <manvolnum>8</manvolnum>
   <refmiscinfo class="manual">APT</refmiscinfo>
 </refmeta>

<!-- NOTE: This manpage has been written based on the
     Securing Debian Manual ("Debian Security
     Infrastructure" chapter) and on documentation
     available at the following sites:
     http://wiki.debian.net/?apt06
     http://www.syntaxpolice.org/apt-secure/
     http://www.enyo.de/fw/software/apt-secure/
-->
<!-- TODO: write a more verbose example of how it works with 
     a sample similar to 
     http://www.debian-administration.org/articles/174
     ?
--> 

 
 <!-- Man page title -->
 <refnamediv>
    <refname>apt-secure</refname>
    <refpurpose>Archive authentication support for APT</refpurpose>
 </refnamediv>

 <refsect1><title>Description</title>
   <para>
   Starting with version 0.6, <command>APT</command> contains code that does
   signature checking of the Release file for all repositories. This ensures
   that data like packages in the archive can't be modified by people who
   have no access to the Release file signing key. Starting with version 1.1
   <command>APT</command> requires repositories to provide recent authentication
   information for unimpeded usage of the repository.
   </para>

   <para>
   If an archive has an unsigned Release file or no Release file at all
   current APT versions will refuse to download data from them by default
   in <command>update</command> operations and even if forced to download
   front-ends like &apt-get; will require explicit confirmation if an
   installation request includes a package from such an unauthenticated
   archive.
   </para>

   <para>
   As a temporary exception &apt-get; (not &apt;!) raises warnings only if it
   encounters unauthenticated archives to give a slightly longer grace period
   on this backward compatibility effecting change. This exception will be removed
   in future releases and you can opt-out of this grace period by setting the
   configuration option <option>Binary::apt-get::Acquire::AllowInsecureRepositories</option>
   to <literal>false</literal> or <option>--no-allow-insecure-repositories</option>
   on the command line.
   </para>

   <para>
   You can force all APT clients to raise only warnings by setting the
   configuration option <option>Acquire::AllowInsecureRepositories</option> to
   <literal>true</literal>. Note that this option will eventually be removed.
   Users also have the <option>Trusted</option> option available to disable
   even the warnings, but be sure to understand the implications as detailed in
   &sources-list;.
   </para>

   <para>
   A repository which previously was authentication but would loose this state in
   an <command>update</command> operation raises an error in all APT clients
   irrespective of the option to allow or forbid usage of insecure repositories.
   The error can be overcome by additionally setting
   <option>Acquire::AllowDowngradeToInsecureRepositories</option>
   to <literal>true</literal>.
   </para>

   <para>
   Note: All APT-based package management front-ends like &apt-get;, &aptitude;
   and &synaptic; support this authentication feature, so this manpage uses
   <literal>APT</literal> to refer to them all for simplicity only.
   </para>
</refsect1>

 <refsect1><title>Trusted Repositories</title>

   <para>
   The chain of trust from an APT archive to the end user is made up of
   several steps. <command>apt-secure</command> is the last step in
   this chain; trusting an archive does not mean that you trust its
   packages not to contain malicious code, but means that you
   trust the archive maintainer. It's the archive maintainer's
   responsibility to ensure that the archive's integrity is preserved.
   </para>

   <para>apt-secure does not review signatures at a
   package level. If you require tools to do this you should look at
   <command>debsig-verify</command> and
   <command>debsign</command> (provided in the debsig-verify and
   devscripts packages respectively).</para>

   <para>
   The chain of trust in Debian starts (e.g.) when a maintainer uploads a new
   package or a new version of a package to the Debian archive. In
   order to become effective, this upload needs to be signed by a key
   contained in one of the Debian package maintainer keyrings (available in
   the debian-keyring package). Maintainers' keys are signed by
   other maintainers following pre-established procedures to
   ensure the identity of the key holder. Similar procedures exist in all
   Debian-based distributions.
   </para>

   <para>
   Once the uploaded package is verified and included in the archive,
   the maintainer signature is stripped off, and checksums of the package
   are computed and put in the Packages file. The checksums of all of the
   Packages files are then computed and put into the Release file. The
   Release file is then signed by the archive key for this &keyring-distro; release,
   and distributed alongside the packages and the Packages files on
   &keyring-distro; mirrors. The keys are in the &keyring-distro; archive keyring
   available in the &keyring-package; package.
   </para>

   <para>
   End users can check the signature of the Release file, extract a checksum
   of a package from it and compare it with the checksum of the package
   they downloaded by hand - or rely on APT doing this automatically.
   </para>

   <para>Notice that this is distinct from checking signatures on a
   per package basis. It is designed to prevent two possible attacks:
   </para>

    <itemizedlist>
       <listitem><para><literal>Network "man in the middle"
       attacks</literal>. Without signature checking, malicious
       agents can introduce themselves into the package download process and
       provide malicious software either by controlling a network
       element (router, switch, etc.) or by redirecting traffic to a
       rogue server (through ARP or DNS spoofing
       attacks).</para></listitem>
 
       <listitem><para><literal>Mirror network compromise</literal>.
        Without signature checking, a malicious agent can compromise a
        mirror host and modify the files in it to propagate malicious
        software to all users downloading packages from that
        host.</para></listitem>
    </itemizedlist>

   <para>However, it does not defend against a compromise of the
   master server itself (which signs the packages) or against a
   compromise of the key used to sign the Release files. In any case,
   this mechanism can complement a per-package signature.</para>
</refsect1>

 <refsect1><title>User Configuration</title>
   <para>
   <command>apt-key</command> is the program that manages the list of keys used
   by APT to trust repositories. It can be used to add or remove keys as well
   as list the trusted keys. Limiting which key(s) are able to sign which archive
   is possible via the <option>Signed-By</option> in &sources-list;.
   </para><para>
   Note that a default installation already contains all keys to securely
   acquire packages from the default repositories, so fiddling with
   <command>apt-key</command> is only needed if third-party repositories are
   added.
   </para><para>
   In order to add a new key you need to first download it
   (you should make sure you are using a trusted communication channel
   when retrieving it), add it with <command>apt-key</command> and
   then run <command>apt-get update</command> so that apt can download
   and verify the <filename>InRelease</filename> or <filename>Release.gpg</filename>
   files from the archives you have configured.
   </para>
</refsect1>

<refsect1><title>Archive Configuration</title>
   <para>
   If you want to provide archive signatures in an archive under your
   maintenance you have to:
   </para>

     <itemizedlist>
       <listitem><para><emphasis>Create a toplevel Release
       file</emphasis>,  if it does not exist already. You can do this
       by running <command>apt-ftparchive release</command> 
       (provided in apt-utils).</para></listitem>
   
      <listitem><para><emphasis>Sign it</emphasis>. You can do this by running
      <command>gpg --clearsign -o InRelease Release</command> and
      <command>gpg -abs -o Release.gpg Release</command>.</para></listitem>

      <listitem><para>
      <emphasis>Publish the key fingerprint</emphasis>, so that your users
      will know what key they need to import in order to authenticate the files
      in the archive. It is best to ship your key in its own keyring package
      like &keyring-distro; does with &keyring-package; to be able to
      distribute updates and key transitions automatically later.
      </para></listitem>

      <listitem><para>
      <emphasis>Provide instructions on how to add your archive and key</emphasis>.
      If your users can't acquire your key securely the chain of trust described above is broken.
      How you can help users add your key depends on your archive and target audience ranging
      from having your keyring package included in another archive users already have configured
      (like the default repositories of their distribution) to leveraging the web of trust.
      </para></listitem>

    </itemizedlist>

    <para>Whenever the contents of the archive change (new packages
    are added or removed) the archive maintainer has to follow the
    first two steps outlined above.</para>

</refsect1>

<refsect1><title>See Also</title> 
<para> 
&apt-conf;, &apt-get;, &sources-list;, &apt-key;, &apt-ftparchive;,
&debsign;, &debsig-verify;, &gpg;
</para>

<para>For more background information you might want to review the
<ulink
url="https://www.debian.org/doc/manuals/securing-debian-howto/ch7">Debian
Security Infrastructure</ulink> chapter of the Securing Debian Manual
(also available in the harden-doc package) and the
<ulink url="http://www.cryptnet.net/fdp/crypto/strong_distro.html"
>Strong Distribution HOWTO</ulink> by V. Alex Brennen.  </para>

</refsect1>

 &manbugs;
 &manauthor;

<refsect1><title>Manpage Authors</title> 

<para>This man-page is based on the work of Javier Fernández-Sanguino
Peña, Isaac Jones, Colin Walters, Florian Weimer and Michael Vogt.
</para>

</refsect1>
 

</refentry>
Commit	Line	Data
d2793259	1	<?xml version="1.0" encoding="utf-8" standalone="no"?>
81cf16a2 DK	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
81cf16a2 DK	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
5abbf5bb DK	4	<!ENTITY % aptent SYSTEM "apt.ent"> %aptent;
	5	<!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment;
	6	<!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor;
d2793259 MV	7	]>
	8
	9	<refentry>
45fb8bf7 DK	10	<refentryinfo>
	11	&apt-author.jgunthorpe;
	12	&apt-author.team;
	13	&apt-email;
	14	&apt-product;
	15	<!-- The last update date -->
952ee63b	16	<date>2016-03-18T00:00:00Z</date>
45fb8bf7 DK	17	</refentryinfo>
45fb8bf7 DK	18
d2793259 MV	19	<refmeta>
	20	<refentrytitle>apt-secure</refentrytitle>
	21	<manvolnum>8</manvolnum>
f0599b9c	22	<refmiscinfo class="manual">APT</refmiscinfo>
d2793259 MV	23	</refmeta>
	24
	25	<!-- NOTE: This manpage has been written based on the
	26	Securing Debian Manual ("Debian Security
	27	Infrastructure" chapter) and on documentation
	28	available at the following sites:
	29	http://wiki.debian.net/?apt06
	30	http://www.syntaxpolice.org/apt-secure/
	31	http://www.enyo.de/fw/software/apt-secure/
	32	-->
	33	<!-- TODO: write a more verbose example of how it works with
	34	a sample similar to
	35	http://www.debian-administration.org/articles/174
	36	?
	37	-->
	38
	39
	40	<!-- Man page title -->
	41	<refnamediv>
	42	<refname>apt-secure</refname>
	43	<refpurpose>Archive authentication support for APT</refpurpose>
	44	</refnamediv>
	45
	46	<refsect1><title>Description</title>
	47	<para>
002b1bc4 DK	48	Starting with version 0.6, <command>APT</command> contains code that does
	49	signature checking of the Release file for all repositories. This ensures
	50	that data like packages in the archive can't be modified by people who
952ee63b DK	51	have no access to the Release file signing key. Starting with version 1.1
	52	<command>APT</command> requires repositories to provide recent authentication
	53	information for unimpeded usage of the repository.
d2793259 MV	54	</para>
	55
	56	<para>
0900a074	57	If an archive has an unsigned Release file or no Release file at all
952ee63b DK	58	current APT versions will refuse to download data from them by default
	59	in <command>update</command> operations and even if forced to download
	60	front-ends like &apt-get; will require explicit confirmation if an
	61	installation request includes a package from such an unauthenticated
	62	archive.
d2793259 MV	63	</para>
	64
	65	<para>
952ee63b DK	66	As a temporary exception &apt-get; (not &apt;!) raises warnings only if it
	67	encounters unauthenticated archives to give a slightly longer grace period
	68	on this backward compatibility effecting change. This exception will be removed
	69	in future releases and you can opt-out of this grace period by setting the
	70	configuration option <option>Binary::apt-get::Acquire::AllowInsecureRepositories</option>
	71	to <literal>false</literal> or <option>--no-allow-insecure-repositories</option>
	72	on the command line.
	73	</para>
	74
	75	<para>
	76	You can force all APT clients to raise only warnings by setting the
	77	configuration option <option>Acquire::AllowInsecureRepositories</option> to
	78	<literal>true</literal>. Note that this option will eventually be removed.
	79	Users also have the <option>Trusted</option> option available to disable
	80	even the warnings, but be sure to understand the implications as detailed in
	81	&sources-list;.
	82	</para>
	83
	84	<para>
	85	A repository which previously was authentication but would loose this state in
	86	an <command>update</command> operation raises an error in all APT clients
	87	irrespective of the option to allow or forbid usage of insecure repositories.
	88	The error can be overcome by additionally setting
	89	<option>Acquire::AllowDowngradeToInsecureRepositories</option>
	90	to <literal>true</literal>.
002b1bc4 DK	91	</para>
	92
	93	<para>
0900a074	94	Note: All APT-based package management front-ends like &apt-get;, &aptitude;
002b1bc4 DK	95	and &synaptic; support this authentication feature, so this manpage uses
002b1bc4 DK	96	<literal>APT</literal> to refer to them all for simplicity only.
d2793259 MV	97	</para>
	98	</refsect1>
	99
0900a074	100	<refsect1><title>Trusted Repositories</title>
d2793259	101
002b1bc4 DK	102	<para>
002b1bc4 DK	103	The chain of trust from an APT archive to the end user is made up of
75d9bdba JR	104	several steps. <command>apt-secure</command> is the last step in
	105	this chain; trusting an archive does not mean that you trust its
	106	packages not to contain malicious code, but means that you
	107	trust the archive maintainer. It's the archive maintainer's
	108	responsibility to ensure that the archive's integrity is preserved.
d2793259 MV	109	</para>
	110
	111	<para>apt-secure does not review signatures at a
	112	package level. If you require tools to do this you should look at
	113	<command>debsig-verify</command> and
	114	<command>debsign</command> (provided in the debsig-verify and
	115	devscripts packages respectively).</para>
	116
	117	<para>
0900a074	118	The chain of trust in Debian starts (e.g.) when a maintainer uploads a new
75d9bdba JR	119	package or a new version of a package to the Debian archive. In
75d9bdba JR	120	order to become effective, this upload needs to be signed by a key
0900a074	121	contained in one of the Debian package maintainer keyrings (available in
75d9bdba	122	the debian-keyring package). Maintainers' keys are signed by
d2793259	123	other maintainers following pre-established procedures to
002b1bc4 DK	124	ensure the identity of the key holder. Similar procedures exist in all
002b1bc4 DK	125	Debian-based distributions.
d2793259 MV	126	</para>
	127
	128	<para>
	129	Once the uploaded package is verified and included in the archive,
75d9bdba JR	130	the maintainer signature is stripped off, and checksums of the package
	131	are computed and put in the Packages file. The checksums of all of the
	132	Packages files are then computed and put into the Release file. The
694ef56e	133	Release file is then signed by the archive key for this &keyring-distro; release,
75d9bdba	134	and distributed alongside the packages and the Packages files on
694ef56e DK	135	&keyring-distro; mirrors. The keys are in the &keyring-distro; archive keyring
694ef56e DK	136	available in the &keyring-package; package.
d2793259 MV	137	</para>
	138
	139	<para>
75d9bdba JR	140	End users can check the signature of the Release file, extract a checksum
	141	of a package from it and compare it with the checksum of the package
	142	they downloaded by hand - or rely on APT doing this automatically.
d2793259 MV	143	</para>
	144
	145	<para>Notice that this is distinct from checking signatures on a
	146	per package basis. It is designed to prevent two possible attacks:
	147	</para>
	148
	149	<itemizedlist>
	150	<listitem><para><literal>Network "man in the middle"
75d9bdba JR	151	attacks</literal>. Without signature checking, malicious
75d9bdba JR	152	agents can introduce themselves into the package download process and
d2793259 MV	153	provide malicious software either by controlling a network
d2793259 MV	154	element (router, switch, etc.) or by redirecting traffic to a
75d9bdba	155	rogue server (through ARP or DNS spoofing
d2793259 MV	156	attacks).</para></listitem>
	157
	158	<listitem><para><literal>Mirror network compromise</literal>.
	159	Without signature checking, a malicious agent can compromise a
6141cfe0	160	mirror host and modify the files in it to propagate malicious
d2793259 MV	161	software to all users downloading packages from that
	162	host.</para></listitem>
	163	</itemizedlist>
	164
	165	<para>However, it does not defend against a compromise of the
002b1bc4	166	master server itself (which signs the packages) or against a
d2793259 MV	167	compromise of the key used to sign the Release files. In any case,
	168	this mechanism can complement a per-package signature.</para>
	169	</refsect1>
	170
0900a074	171	<refsect1><title>User Configuration</title>
d2793259	172	<para>
002b1bc4 DK	173	<command>apt-key</command> is the program that manages the list of keys used
	174	by APT to trust repositories. It can be used to add or remove keys as well
	175	as list the trusted keys. Limiting which key(s) are able to sign which archive
	176	is possible via the <option>Signed-By</option> in &sources-list;.
	177	</para><para>
d04e44ac	178	Note that a default installation already contains all keys to securely
002b1bc4 DK	179	acquire packages from the default repositories, so fiddling with
	180	<command>apt-key</command> is only needed if third-party repositories are
	181	added.
	182	</para><para>
d2793259 MV	183	In order to add a new key you need to first download it
	184	(you should make sure you are using a trusted communication channel
	185	when retrieving it), add it with <command>apt-key</command> and
	186	then run <command>apt-get update</command> so that apt can download
fe0f7911 DK	187	and verify the <filename>InRelease</filename> or <filename>Release.gpg</filename>
fe0f7911 DK	188	files from the archives you have configured.
d2793259 MV	189	</para>
	190	</refsect1>
	191
0900a074	192	<refsect1><title>Archive Configuration</title>
d2793259 MV	193	<para>
	194	If you want to provide archive signatures in an archive under your
	195	maintenance you have to:
	196	</para>
	197
	198	<itemizedlist>
5f4331c4 DK	199	<listitem><para><emphasis>Create a toplevel Release
5f4331c4 DK	200	file</emphasis>, if it does not exist already. You can do this
d2793259	201	by running <command>apt-ftparchive release</command>
e3a1f08d	202	(provided in apt-utils).</para></listitem>
d2793259	203
5f4331c4	204	<listitem><para><emphasis>Sign it</emphasis>. You can do this by running
fe0f7911	205	<command>gpg --clearsign -o InRelease Release</command> and
d2793259 MV	206	<command>gpg -abs -o Release.gpg Release</command>.</para></listitem>
d2793259 MV	207
002b1bc4	208	<listitem><para>
0900a074	209	<emphasis>Publish the key fingerprint</emphasis>, so that your users
002b1bc4 DK	210	will know what key they need to import in order to authenticate the files
	211	in the archive. It is best to ship your key in its own keyring package
	212	like &keyring-distro; does with &keyring-package; to be able to
	213	distribute updates and key transitions automatically later.
	214	</para></listitem>
	215
	216	<listitem><para>
	217	<emphasis>Provide instructions on how to add your archive and key</emphasis>.
d04e44ac	218	If your users can't acquire your key securely the chain of trust described above is broken.
002b1bc4 DK	219	How you can help users add your key depends on your archive and target audience ranging
002b1bc4 DK	220	from having your keyring package included in another archive users already have configured
0900a074	221	(like the default repositories of their distribution) to leveraging the web of trust.
002b1bc4	222	</para></listitem>
d2793259 MV	223
	224	</itemizedlist>
	225
75d9bdba	226	<para>Whenever the contents of the archive change (new packages
d2793259	227	are added or removed) the archive maintainer has to follow the
75d9bdba	228	first two steps outlined above.</para>
d2793259 MV	229
	230	</refsect1>
	231
	232	<refsect1><title>See Also</title>
	233	<para>
2f493cc6	234	&apt-conf;, &apt-get;, &sources-list;, &apt-key;, &apt-ftparchive;,
480c2414	235	&debsign;, &debsig-verify;, &gpg;
d2793259 MV	236	</para>
d2793259 MV	237
e3a1f08d	238	<para>For more background information you might want to review the
d2793259	239	<ulink
002b1bc4	240	url="https://www.debian.org/doc/manuals/securing-debian-howto/ch7">Debian
d2793259	241	Security Infrastructure</ulink> chapter of the Securing Debian Manual
0900a074	242	(also available in the harden-doc package) and the
d2793259 MV	243	<ulink url="http://www.cryptnet.net/fdp/crypto/strong_distro.html"
	244	>Strong Distribution HOWTO</ulink> by V. Alex Brennen. </para>
	245
	246	</refsect1>
	247
	248	&manbugs;
	249	&manauthor;
	250
c3f389d0 MV	251	<refsect1><title>Manpage Authors</title>
c3f389d0 MV	252
2ac470e1 MV	253	<para>This man-page is based on the work of Javier Fernández-Sanguino
2ac470e1 MV	254	Peña, Isaac Jones, Colin Walters, Florian Weimer and Michael Vogt.
c3f389d0 MV	255	</para>
	256
	257	</refsect1>
	258
	259
d2793259	260	</refentry>