X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/86d9e9635a23c7ecfe2de7f440a6acce320067bc..dc95fee18e8df2b00404c7d0f321f5b78e00f170:/doc/apt-secure.8.xml diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml index 20f473f77..981351615 100644 --- a/doc/apt-secure.8.xml +++ b/doc/apt-secure.8.xml @@ -1,15 +1,27 @@ - %aptent; + +%aptverbatiment; + + +%aptvendor; ]> - &apt-docinfo; - + + &apt-author.jgunthorpe; + &apt-author.team; + &apt-email; + &apt-product; + + 2012-06-09T00:00:00Z + + apt-secure 8 @@ -47,11 +59,11 @@ - If a package comes from a archive without a signature or with a - signature that apt does not have a key for that package is - considered untrusted and installing it will result in a big + If a package comes from a archive without a signature, or with a + signature that apt does not have a key for, that package is + considered untrusted, and installing it will result in a big warning. apt-get will currently only warn - for unsigned archives, future releases might force all sources + for unsigned archives; future releases might force all sources to be verified before downloading packages from them. @@ -65,11 +77,11 @@ The chain of trust from an apt archive to the end user is made up of - different steps. apt-secure is the last step in - this chain, trusting an archive does not mean that the packages - that you trust it do not contain malicious code but means that you - trust the archive maintainer. Its the archive maintainer - responsibility to ensure that the archive integrity is correct. + several steps. apt-secure is the last step in + this chain; trusting an archive does not mean that you trust its + packages not to contain malicious code, but means that you + trust the archive maintainer. It's the archive maintainer's + responsibility to ensure that the archive's integrity is preserved. apt-secure does not review signatures at a @@ -80,30 +92,29 @@ The chain of trust in Debian starts when a maintainer uploads a new - package or a new version of a package to the Debian archive. This - upload in order to become effective needs to be signed by a key of - a maintainer within the Debian maintainer's keyring (available in - the debian-keyring package). Maintainer's keys are signed by + package or a new version of a package to the Debian archive. In + order to become effective, this upload needs to be signed by a key + contained in the Debian Maintainers keyring (available in + the debian-keyring package). Maintainers' keys are signed by other maintainers following pre-established procedures to ensure the identity of the key holder. Once the uploaded package is verified and included in the archive, - the maintainer signature is stripped off, an MD5 sum of the package - is computed and put in the Packages file. The MD5 sum of all of the - packages files are then computed and put into the Release file. The - Release file is then signed by the archive key (which is created - once a year and distributed through the FTP server. This key is - also on the Debian keyring. + the maintainer signature is stripped off, and checksums of the package + are computed and put in the Packages file. The checksums of all of the + Packages files are then computed and put into the Release file. The + Release file is then signed by the archive key for this &keyring-distro; release, + and distributed alongside the packages and the Packages files on + &keyring-distro; mirrors. The keys are in the &keyring-distro; archive keyring + available in the &keyring-package; package. - Any end user can check the signature of the Release file, extract the MD5 - sum of a package from it and compare it with the MD5 sum of the - package he downloaded. Prior to version 0.6 only the MD5 sum of the - downloaded Debian package was checked. Now both the MD5 sum and the - signature of the Release file are checked. + End users can check the signature of the Release file, extract a checksum + of a package from it and compare it with the checksum of the package + they downloaded by hand - or rely on APT doing this automatically. Notice that this is distinct from checking signatures on a @@ -112,11 +123,11 @@ Network "man in the middle" - attacks. Without signature checking, a malicious - agent can introduce himself in the package download process and + attacks. Without signature checking, malicious + agents can introduce themselves into the package download process and provide malicious software either by controlling a network element (router, switch, etc.) or by redirecting traffic to a - rogue server (through arp or DNS spoofing + rogue server (through ARP or DNS spoofing attacks). Mirror network compromise. @@ -135,8 +146,8 @@ User configuration apt-key is the program that manages the list - of keys used by apt. It can be used to add or remove keys although - an installation of this release will automatically provide the + of keys used by apt. It can be used to add or remove keys, although + an installation of this release will automatically contain the default Debian archive signing keys used in the Debian package repositories. @@ -145,8 +156,8 @@ (you should make sure you are using a trusted communication channel when retrieving it), add it with apt-key and then run apt-get update so that apt can download - and verify the Release.gpg files from the archives you - have configured. + and verify the InRelease or Release.gpg + files from the archives you have configured. @@ -157,24 +168,25 @@ - Create a toplevel Release - file. if it does not exist already. You can do this + Create a toplevel Release + file, if it does not exist already. You can do this by running apt-ftparchive release (provided in apt-utils). - Sign it. You can do this by running + Sign it. You can do this by running + gpg --clearsign -o InRelease Release and gpg -abs -o Release.gpg Release. - Publish the key fingerprint, + Publish the key fingerprint, that way your users will know what key they need to import in order to authenticate the files in the archive. - Whenever the contents of the archive changes (new packages + Whenever the contents of the archive change (new packages are added or removed) the archive maintainer has to follow the - first two steps previously outlined. + first two steps outlined above. @@ -186,7 +198,7 @@ For more background information you might want to review the Debian +url="http://www.debian.org/doc/manuals/securing-debian-howto/ch7">Debian Security Infrastructure chapter of the Securing Debian Manual (available also in the harden-doc package) and the