Sorry if this has been brought up before. If there's a prior discussion
anyone can point me to, I'd really appreciate it.

I am trying to set up a Debian 10 based server to host a web app that's
visible to the public. Putting some time into finding out best practices in this situation, I came across the Center for Internet Security (CIS)
document (CIS_Debian_Linux_10_Benchmark_v1.0.0.pdf) that on page 75,
perhaps suggest that apt is not configured correctly to verify packages. I
say "perhaps" because the wording in the PDF isn't very clear.

This lead me to search for more answers online, where I have found an
article that suggests that package metadata is verified, but that package contents are not. ( https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/)
Again, it's unclear if that article applies to Debian 10, but since my
system as "no-debsig" in /etc/dpkg/dpkg.cfg, it seems like it might and therefore my system is not verifying the contents of apt packages and is vulnerable to some sorts of attacks through apt.

The closest to an official word on this, that I have been able to find, is
this web-page (https://wiki.debian.org/SecureApt) but it's not very understandable to me, and it's not clear how up-to-date it is. There is
much talk of Release files, but I don't know where these files are, and so
I can't test out the mechanisms described.

I do know that if I use "apt download" to download a .deb file, break it
apart (using ar and tar), make a change, and put it back together, I can
the use "apt install ./X.deb" to install it, even though I haven't updated
any security metadata in the .deb file. Removing "no-debsig" in dpkg.cfg doesn't affect the outcome.

And finally, it seems that even wikipedia says that package signatures
aren't being checked on most systems ( https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages).

I hope someone can help me find some answers on this!

thanks,
Ramin

<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Sorry if this has been brought up before. If there&#39;s a prior discussion anyone can point me to, I&#39;d really appreciate it.</div>
<div dir="ltr"><br></div><div dir="ltr">I am trying to set up a Debian 10 based server to host a web app that&#39;s visible to the public. Putting some time into finding out best practices in this situation, I came across the Center for Internet Security
(CIS) document (CIS_Debian_Linux_10_Benchmark_v1.0.0.pdf) that on page 75, perhaps suggest that apt is not configured correctly to verify packages. I say &quot;perhaps&quot; because the wording in the PDF isn&#39;t very clear.</div><div dir="ltr"><br></

<div>This lead me to search for more answers online, where I have found an article that suggests that package metadata is verified, but that package contents are not. (<a href="https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-

packages-apt-repositories/">https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/</a>) Again, it&#39;s unclear if that article applies to Debian 10, but since my system as &quot;no-debsig&quot; in /etc/dpkg/dpkg.
cfg, it seems like it might and therefore my system is not verifying the contents of apt packages and is vulnerable to some sorts of attacks through apt.</div><div><br></div><div>The closest to an official word on this, that I have been able to find, is
this web-page (<a href="https://wiki.debian.org/SecureApt">https://wiki.debian.org/SecureApt</a>) but it&#39;s not very understandable to me, and it&#39;s not clear how up-to-date it is. There is much talk of Release files, but I don&#39;t know where
these files are, and so I can&#39;t test out the mechanisms described.</div><div><br></div><div>I do know that if I use &quot;apt download&quot; to download a .deb file, break it apart (using ar and tar), make a change, and put it back together, I can
the use &quot;apt install ./X.deb&quot; to install it, even though I haven&#39;t updated any security metadata in the .deb file. Removing &quot;no-debsig&quot; in dpkg.cfg doesn&#39;t affect the outcome.</div><div><br></div><div>And finally, it seems
that even wikipedia says that package signatures aren&#39;t being checked on most systems (<a href="https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages">https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages</a>).</div><div><

</div><div>I hope someone can help me find some answers on this!</div><div><br></div><div>thanks,</div><div>Ramin</div></div></div></div></div></div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

If this were an actual problem thousands of people would be having it.

Trust the force.

--
Jonathan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 27, 2021 at 10:23:44AM -0800, Ramin Doe wrote:

This lead me to search for more answers online, where I have found an
article that suggests that package metadata is verified, but that package
contents are not.
([1]https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/)

The signed metadata includes cryptographic checksums of the package
contents. Thus, package contents can't be modified in storage on the
mirror or in transit to your system without invalidating the checksum,
and the checksums can't be updated in the repository metadata without invalidating the signature.

I do know that if I use "apt download" to download a .deb file, break it
apart (using ar and tar), make a change, and put it back together, I can
the use "apt install ./X.deb" to install it, even though I haven't updated
any security metadata in the .deb file. Removing "no-debsig" in dpkg.cfg
doesn't affect the outcome.

That's correct; the validation happens during retrieval. Once the
package is on your computer, you are free to tamper with it however you
want.

And finally, it seems that even wikipedia says that package signatures
aren't being checked on most systems
([3]https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages).

That's correct; package validation is done as described above. You left
out the part of the wikipedia article that states that "packages are
verified by signing the repository metadata (i.e. Release files). The
metadata files in turn include checksums for the repository files as a
means to verify authenticity of the files."

noah

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmASSx4ACgkQV68+Bn2y WDN3ag//Qx0BGDM063+GRqOBQy7GSj3yA2ykQIYHhYTudhaH4rccQaNqLjXn+k2L NfhdnlDePaenF0YWhY8oUZndL9ty0ihmrg18l4Uok5QW70kQBZB5DzLIQAZzhJby RcEunFRhXPWY6pHcA4FRGc/8/ikl53oslk//ko0Yf3X/4srurAUQrIT+4WRC4fYc xUjy9+A96FnK64hUMvjGhADf+LzbLsAaZK6dQIUn9hrhVrkMASjXfgWoniCmYq9+ eXujelhlsdXvCvPE8PaWiXylPl7yXFWv+sApo05bV94vtIK/7rw74t1G6AmT3rjl MOjhGUCZYu4vmlejLRTAL92Bmw/4s+d5pPZtH4Y5PgDwnC4Xh3W7RcS7aaJW2P4J hg6MIlSbAAN7voUyn4zIU/dHcjIlG6cpSuIpbOhZq+lZhVTzy4c46puEyUbqJS+c EWA5KKZHMt2MorUy9kX0WIbuZG3BqiIQyYqM/vpsRMDh3b4qP3qIVF2H35Wak2oX vUAnBuet6Es9er6M4Lg7Q5ermwie8DP6yr4QRbRjanImYdpVOk1ARR+8fQuLPb9R P+nmSkWutG148/0hERhJO6Z0pVGdNReP/pMxqxQ751T5lwCZm+w/oUSG+5D5mnXi jtUGURQu8NSdmR+KQjRm8WsyW0tDe06SmMhWtDshukQAyv+Ph4o=
=r5r2
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 27, 2021 at 9:27 PM Noah Meyerhans <[email protected]> wrote:

The signed metadata includes cryptographic checksums of the package
contents. Thus, package contents can't be modified in storage on the
mirror or in transit to your system without invalidating the checksum,
and the checksums can't be updated in the repository metadata without invalidating the signature.

This all sounds pretty promising! Thank you, Noah! Do you happen to know
how to access this metadata? I'd love to be able to look at it and
understand it better.

I do know that [I can tamper with .deb pkg on my computer prior to

installation without triggering warnings].

That's correct; the validation happens during retrieval. Once the
package is on your computer, you are free to tamper with it however you
want.

Thanks! It's a relief that the validation occurs elsewhere.

And finally, it seems that even wikipedia says that package signatures

aren't being checked on most systems
([3]

https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages).

That's correct; package validation is done as described above. You left
out the part of the wikipedia article that states [...]

Here's the full text (minus footnote anchors):

"Debian-based distributions support GPG signature verification of signed
Debian packages, but most (if not all) have this feature disabled by
default. Instead packages are verified by signing the repository metadata
(i.e. Release files). The metadata files in turn include checksums for the repository files as a means to verify authenticity of the files. Currently there are two different implementations for signing individual packages.
The first is done via the debsigs / debsig-verify toolset, which is
supported by dpkg. The second is done through the dpkg-sig program which is
not supported by dpkg, so the packages have to be manually checked with the dpkg-sig program. Both formats add new sections to the ar archive to store
the signature information, but the formats are not compatible with one
another. Neither of the modifications to the package format are listed in
the official Debian handbook or man page about the binary package format."

I'm still struggling with this paragraph. Let me see if I can break it down sensibly.

"Debian-based distributions support GPG signature verification of signed
Debian packages, but most (if not all) have this feature disabled by
default."

OK. That's straightforward enough. There's some infrastructure for GPG signature verification but it's disabled by default. That's not a problem
in itself, if some other form of effective verification is happening. Just another sentence stating that in the wikipedia article would have made a
world of difference to me.

"Instead packages are verified by signing the repository metadata (i.e.
Release files). The metadata files in turn include checksums for the
repository files as a means to verify authenticity of the files."

Again, I'd love to see one of these release files, so I could see:
a) what data, exactly, is being checksummed
b) what sort of hash algorithm is involved

In my digging around so far, I found that the .deb file contains a control.tar.xz file, which has some md5 checksum information, but it has
very patchy coverage of the files in the package. I hope that's just a
holdover from a deprecated mechanism, and is not being used nowadays.

"Currently there are two different implementations for signing individual packages..."
I think this is referring to the GPG signature verification mechanisms that
are disabled by default. I'm happy to not try to not go down the route of enabling GPG verification, since it seems to be poorly documented (I
haven't found a single concrete example of how to do this), so long as I
can feel that the metadata checksum method is sufficiently reliable. I
think that looking at the Release files would go a long way to relieving my anxiety about this. Any help would be appreciated!

I do wish there was an official document giving a high-level TLDR
description of apt security, complete with caveats. As a bonus
cherry-on-top wish, it would be awesome if it furthermore made clear what
old mechanisms were deprecated and could be ignored!

<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">On Wed, Jan 27, 2021 at 9:27 PM Noah Meyerhans &lt;<a href="mailto:[email protected]">[email protected]</a>&gt; wrote:<br></div><div class="gmail_quote"><blockquote
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><br>
The signed metadata includes cryptographic checksums of the package<br> contents.  Thus, package contents can&#39;t be modified in storage on the<br> mirror or in transit to your system without invalidating the checksum,<br>
and the checksums can&#39;t be updated in the repository metadata without<br> invalidating the signature.<br></blockquote><div><br></div><div>This all sounds pretty promising! Thank you, Noah! Do you happen to know how to access this metadata? I&#39;d love to be able to look at it and understand it better.</div><div> <br></div><
blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">

&gt;    I do know that [I can tamper with .deb pkg on my computer prior to installation without triggering warnings].<br>

That&#39;s correct; the validation happens during retrieval.  Once the<br> package is on your computer, you are free to tamper with it however you<br> want.<br></blockquote><div><br></div><div>Thanks! It&#39;s a relief that the validation occurs elsewhere.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:
rgb(204,204,204);padding-left:1ex">&gt;    And finally, it seems that even wikipedia says that package signatures<br>
&gt;    aren&#39;t being checked on most systems<br>
&gt;    ([3]<a href="https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages</a>).<br>

That&#39;s correct; package validation is done as described above.  You left<br>
out the part of the wikipedia article that states [...]<br></blockquote><div><br></div><div>Here&#39;s the full text (minus footnote anchors):</div><div><br></div><div>&quot;Debian-based distributions support GPG signature verification of signed Debian
packages, but most (if not all) have this feature disabled by default. Instead packages are verified by signing the repository metadata (i.e. Release files). The metadata files in turn include checksums for the repository files as a means to verify
authenticity of the files. Currently there are two different implementations for signing individual packages. The first is done via the debsigs / debsig-verify toolset, which is supported by dpkg. The second is done through the dpkg-sig program which is
not supported by dpkg, so the packages have to be manually checked with the dpkg-sig program. Both formats add new sections to the ar archive to store the signature information, but the formats are not compatible with one another. Neither of the
modifications to the package format are listed in the official Debian handbook or man page about the binary package format.&quot;</div><div><br></div><div>I&#39;m still struggling with this paragraph. Let me see if I can break it down sensibly. </div><

<br></div><div>&quot;Debian-based distributions support GPG signature verification of signed Debian packages, but most (if not all) have this feature disabled by default.&quot;</div><div><br></div><div>OK. That&#39;s straightforward enough. There&#39;

s some infrastructure for GPG signature verification but it&#39;s disabled by default. That&#39;s not a problem in itself, if some other form of effective verification is happening. Just another sentence stating that in the wikipedia article would have
made a world of difference to me.</div><div><br></div><div>&quot;Instead packages are verified by signing the repository metadata (i.e. Release files). The metadata files in turn include checksums for the repository files as a means to verify
authenticity of the files.&quot;</div><div><br></div><div>Again, I&#39;d love to see one of these release files, so I could see:</div><div>a) what data, exactly, is being checksummed</div><div>b) what sort of hash algorithm is involved</div><div><br></

<div>In my digging around so far, I found that the .deb file contains a control.tar.xz file, which has some md5 checksum information, but it has very patchy coverage of the files in the package. I hope that&#39;s just a holdover from a deprecated

mechanism, and is not being used nowadays.</div><div><br></div><div>&quot;Currently there are two different implementations for signing individual packages...&quot;</div><div>I think this is referring to the GPG signature verification mechanisms that are
disabled by default. I&#39;m happy to not try to not go down the route of enabling GPG verification, since it seems to be poorly documented (I haven&#39;t found a single concrete example of how to do this), so long as I can feel that the metadata
checksum method is sufficiently reliable. I think that looking at the Release files would go a long way to relieving my anxiety about this. Any help would be appreciated!</div><div><br></div><div>I do wish there was an official document giving a high-
level TLDR description of apt security, complete with caveats. As a bonus cherry-on-top wish, it would be awesome if it furthermore made clear what old mechanisms were deprecated and could be ignored!</div><div><br></div></div></div></div></div></div></


--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Jan 28, 2021 at 10:08:32AM -0800, Ramin Doe wrote:

The signed metadata includes cryptographic checksums of the package
contents.� Thus, package contents can't be modified in storage on the
mirror or in transit to your system without invalidating the checksum,
and the checksums can't be updated in the repository metadata without
invalidating the signature.

This all sounds pretty promising! Thank you, Noah! Do you happen to know
how to access this metadata? I'd love to be able to look at it and
understand it better.

See the signed InRelease files in /var/lib/apt/lists

Again, I'd love to see one of these release files, so I could see:
a) what data, exactly, is being checksummed
b) what sort of hash algorithm is involved
In my digging around so far, I found that the .deb file contains a
control.tar.xz file, which has some md5 checksum information, but it has
very patchy coverage of the files in the package. I hope that's just a
holdover from a deprecated mechanism, and is not being used nowadays.

The MD5 sums are use by the debsums program. Because md5 is weak and
because there are plenty of ways to bypass file-level checksum
validation in general, these are more useful at identifying corruption
or valid local modifications rather than system compromise.

You should read https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html

It's a little dated, as it still mentions the use of md5 in the Release
files when we use sha256 these days, but it's good for a higher level
overview.

noah


-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmATFvUACgkQV68+Bn2y WDN7gA//bHXQqgup1XINXl38haL8YG5cLkbp9g9Uugm2WtkxdutTJKVdua8Wjb3t VOA60UTlvU4rpE90tf6wOoEFWS3pTtf6B9rc6x9HXjRh2xIGIaV+BPVNDi183PND UBGL8yR25e8wQ4hjoN6VTOQWKsukobbO7FBDPCzbN2OUiNO1cnYtDDRk8/ff8xuQ 6H80bKx9Rn5kQ/5Yp5yWgpiQwJu5X2b7SYi0Q7Q538V4OBHmj4EtRjAa28VeUxCT 7RdPHwqcZelH6erI1xjkvglcyrfp5JgekkqXLPLHi8ToYW/8ns7yJ6F21gnPMxZd xEO1G2Xt5G8mhucZz3K6M3BSo3bESv8H4tm18Srr/XfXaXeOjwW0HizRA2xCYtJr J0/YL5fXvZnqag/6BNeRUINWyxjussGzXzEnCFzBtWc2WhEjQCiBzVVK18opfRt1 mo6q8awxBLi4G1YaxBQm2ZQpYNFkF8LnPK7TTEWY0y4gI9dup6+Dg2l96lfiszpq 5t5V0GdeQXZ2LqxgAS/jvuOXFk/jCPbz4Ndx3lbiWS1jOGczMDQ6zmZ9i25oBq+b 9BMxg3I2v/V5QQOJcu2H98qp/1KpdhSsUu/86iDiME1V5BmL6jeNdHWaUs1AQyEj K5kNw9YovDCt7uzVy061jsw4Srf2Y/Fp7+wsjLeZcYTAHN7l+Ac=
=ZjR5
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 28/01/2021 19:08, Ramin Doe wrote:

"Currently there are two different implementations for signing
individual packages..."
I think this is referring to the GPG signature verification mechanisms
that are disabled by default. I'm happy to not try to not go down the
route of enabling GPG verification, since it seems to be poorly
documented (I haven't found a single concrete example of how to do
this), so long as I can feel that the metadata checksum method is sufficiently reliable. I think that looking at the Release files would
go a long way to relieving my anxiety about this. Any help would be appreciated!

Check any mirror ? e.g https://debian.ethz.ch/debian/dists/buster/

I do wish there was an official document giving a high-level TLDR
description of apt security, complete with caveats. As a bonus
cherry-on-top wish, it would be awesome if it furthermore made clear
what old mechanisms were deprecated and could be ignored!

The closest thing that comes to my mind would be https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html.
Hope it helps!

Cheers,

--
nodens

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This all sounds pretty promising! Thank you, Noah! Do you happen to

know

how to access this metadata? I'd love to be able to look at it and
understand it better.

See the signed InRelease files in /var/lib/apt/lists

Ah! I see some files here that are relevant to my search. Thanks! For
instance, on my system, I see a mirrors.linode.com_debian_dists_buster_main_binary-amd64_Packages file that contains a single SHA256 and a single MD5sum hash for each amd64 package. I could see how that sort of information could be used to verify, on the fly,
the packages that arrive here.

You should read

https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html

Thanks! I will do so!

<div dir="ltr"><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">&gt;    This all sounds pretty
promising! Thank you, Noah! Do you happen to know<br>
&gt;    how to access this metadata? I&#39;d love to be able to look at it and<br>
&gt;    understand it better.<br>

See the signed InRelease files in /var/lib/apt/lists<br></blockquote><div><br></div><div>Ah! I see some files here that are relevant to my search. Thanks! For instance, on my system, I see a mirrors.linode.com_debian_dists_buster_main_binary-amd64_
Packages file that contains a single SHA256 and a single MD5sum hash for each amd64 package. I could see how that sort of information could be used to verify, on the fly, the packages that arrive here.</div><div> </div><blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">You should read<br>
<a href="https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html" rel="noreferrer" target="_blank">https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html</a><br><br></blockquote><div>Thanks! I will do so! 
</div></div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

So after doing my reading and digging around a bit, I get a vague sense of
the pieces involved. I can see the various data files available on the
mirror site, that *could* be used to verify that all the files we receive
are what we'd expect to be getting, based on some initial data (a trusted
key) that we might have on our system. But as some have mentioned, the documentation in Securing Debian Manual ( https://www.debian.org/doc/manuals/securing-debian-manual/) is out of date and/or oversimplified. It's still helpful though!

So I could see how the local keys /etc/apt/trusted.gpg.d/*.gpg might be
used to verify that InRelease that is downloaded from https://[mirrorsite]/debian/dists/buster/ is
trustworthy. And it looks like that InRelease file contains sha256
signatures that can be used to verify the contents of various files,
including Packages.gz that would be downloaded from https://[mirrorsite]/debian/dists/buster/main/binary-amd64/).
In that Packages file, there are sha256 signatures for individual packages
that apt would install, and those could be used to verify all the files
that were downloaded by an `apt install` command before installation.

The only thing that still worries me a little bit is that I can't actually verify that any of the described verification is actually being done, or
that I have imagined the process correctly. (Is there an existing corrupted mirror I can use? Is it hard to set one up? If I could force a package rejection in different ways, I'd be fully confident it was configured and functioning correctly).

I understand, of course, that all this assumes that my system hasn't been compromised already. But, yes, if I have a clean system, and non of the
keys or hashes are compromised, I can see how this would work. And this
would mean that I wouldn't need to do GPG verification of the packages as described in section 7.5.2 of the Manual, and the article I first posted ( https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/
).

It's not entirely clear to me what the CIS guideline was expecting me to
do. It says:

Verify GPG keys are configured correctly for your package manager:
# apt-key list

Perhaps they want me to install apt-key, and use it to look at the gpg keys installed on my system, and then somehow verify that they aren't
compromised? Does that sound like I'm understanding them correctly?

thanks for all the help!
Ramin


On Thu, Jan 28, 2021 at 11:56 AM Noah Meyerhans <[email protected]> wrote:

On Thu, Jan 28, 2021 at 10:08:32AM -0800, Ramin Doe wrote:

The signed metadata includes cryptographic checksums of the package
contents. Thus, package contents can't be modified in storage on

the

mirror or in transit to your system without invalidating the

checksum,

and the checksums can't be updated in the repository metadata

without

invalidating the signature.

This all sounds pretty promising! Thank you, Noah! Do you happen to

know

how to access this metadata? I'd love to be able to look at it and
understand it better.

See the signed InRelease files in /var/lib/apt/lists

Again, I'd love to see one of these release files, so I could see:
a) what data, exactly, is being checksummed
b) what sort of hash algorithm is involved
In my digging around so far, I found that the .deb file contains a
control.tar.xz file, which has some md5 checksum information, but it

has

very patchy coverage of the files in the package. I hope that's just a
holdover from a deprecated mechanism, and is not being used nowadays.

The MD5 sums are use by the debsums program. Because md5 is weak and
because there are plenty of ways to bypass file-level checksum
validation in general, these are more useful at identifying corruption
or valid local modifications rather than system compromise.

You should read

https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html

It's a little dated, as it still mentions the use of md5 in the Release
files when we use sha256 these days, but it's good for a higher level overview.

noah

<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">
<div dir="ltr"><div dir="ltr"><div dir="ltr">So after doing my reading and digging around a bit, I get a vague sense of the pieces involved. I can see the various data files available on the mirror site, that *could* be used to verify that all the files
we receive are what we&#39;d expect to be getting, based on some initial data (a trusted key) that we might have on our system. But as some have mentioned, the documentation in Securing Debian Manual (<a href="https://www.debian.org/doc/manuals/securing-
debian-manual/">https://www.debian.org/doc/manuals/securing-debian-manual/</a>) is out of date and/or oversimplified. It&#39;s still helpful though!</div><div dir="ltr"><br></div><div>So I could see how the local keys /etc/apt/trusted.gpg.d/*.gpg might
be used to verify that InRelease that is downloaded from https://[mirrorsite]/debian/dists/buster/ is trustworthy. And it looks like that InRelease file contains sha256 signatures that can be used to verify the contents of various files, including
Packages.gz that would be downloaded from https://[mirrorsite]/debian/dists/buster/main/binary-amd64/). In that Packages file, there are sha256 signatures for individual packages that apt would install, and those could be used to verify all the files
that were downloaded by an `apt install` command before installation.</div><div><br></div><div>The only thing that still worries me a little bit is that I can&#39;t actually verify that any of the described verification is actually being done, or that I
have imagined the process correctly. (Is there an existing corrupted mirror I can use? Is it hard to set one up? If I could force a package rejection in different ways, I&#39;d be fully confident it was configured and functioning correctly).</div><div><

</div><div>I understand, of course, that all this assumes that my system hasn&#39;t been compromised already. But, yes, if I have a clean system, and non of the keys or hashes are compromised, I can see how this would work. And this would mean that I

wouldn&#39;t need to do GPG verification of the packages as described in section 7.5.2 of the Manual, and the article I first posted (<a href="https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/">https://blog.
packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/</a>).</div><div><br></div><div>It&#39;s not entirely clear to me what the CIS guideline was expecting me to do. It says:</div><div><br></div><div>    Verify GPG keys
are configured correctly for your package manager:</div><div>    # apt-key list</div><div><br></div><div>Perhaps they want me to install apt-key, and use it to look at the gpg keys installed on my system, and then somehow verify that they aren&#39;t
compromised? Does that sound like I&#39;m understanding them correctly?</div><div><br></div><div>thanks for all the help!</div><div>Ramin</div><div dir="ltr"><div><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></

</div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 28, 2021 at 11:56 AM Noah Meyerhans &lt;<a href="mailto:[email protected]">[email protected]</a>&gt; wrote:<br></div><blockquote class="gmail_

quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On Thu, Jan 28, 2021 at 10:08:32AM -0800, Ramin Doe wrote:<br>
&gt;      The signed metadata includes cryptographic checksums of the package<br>
&gt;      contents.  Thus, package contents can&#39;t be modified in storage on the<br>
&gt;      mirror or in transit to your system without invalidating the checksum,<br>
&gt;      and the checksums can&#39;t be updated in the repository metadata without<br>
&gt;      invalidating the signature.<br>
&gt; <br>
&gt;    This all sounds pretty promising! Thank you, Noah! Do you happen to know<br>
&gt;    how to access this metadata? I&#39;d love to be able to look at it and<br>
&gt;    understand it better.<br>

See the signed InRelease files in /var/lib/apt/lists<br>

&gt;    Again, I&#39;d love to see one of these release files, so I could see:<br>
&gt;    a) what data, exactly, is being checksummed<br>
&gt;    b) what sort of hash algorithm is involved<br>
&gt;    In my digging around so far, I found that the .deb file contains a<br>
&gt;    control.tar.xz file, which has some md5 checksum information, but it has<br>
&gt;    very patchy coverage of the files in the package. I hope that&#39;s just a<br>
&gt;    holdover from a deprecated mechanism, and is not being used nowadays.<br>

The MD5 sums are use by the debsums program.  Because md5 is weak and<br> because there are plenty of ways to bypass file-level checksum<br>
validation in general, these are more useful at identifying corruption<br>
or valid local modifications rather than system compromise.<br>

You should read<br>
<a href="https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html" rel="noreferrer" target="_blank">https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html</a><br>

It&#39;s a little dated, as it still mentions the use of md5 in the Release<br> files when we use sha256 these days, but it&#39;s good for a higher level<br> overview.<br>

noah<br>

</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 03/02/2021 21:50, Ramin Doe wrote:

It's not entirely clear to me what the CIS guideline was expecting me to
do. It says:

    Verify GPG keys are configured correctly for your package manager:
    # apt-key list

Perhaps they want me to install apt-key, and use it to look at the gpg
keys installed on my system, and then somehow verify that they aren't compromised? Does that sound like I'm understanding them correctly?

apt-key is considered deprecated (check the man: apt-key(8)). However,
what this command does is show you the list of keys trusted for package installation.

I guess it's to make sure you have only legit keys there - but I didn't
read those guidelines, so I can't be completely sure :)

Cheers,

--
nodens

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)