Falcot Corp の管理者にとって、セキュリティはとても重要です。つまり管理者は、パッケージが途中で改竄されていないこと、確かに Debian から提供されていることを確認し、確認のとれたパッケージだけをインストールしなければいけません。コンピュータクラッカーは、他の合法的なパッケージに悪意あるコードを追加しようと試みます。そのようなパッケージがインストールされた場合、クラッカーが設計したことは何でも、たとえばパスワードや機密情報の漏洩などでも、実行されます。この危険性を回避するために、Debian は不正改竄を防ぐ封印を提供し、インストール時にそのパッケージが公式メンテナから提供されたものと本当に同じこと、第三者によって変更されていないことを保証しています。
The seal works with a chain of cryptographic hashes and a signature and is explained in detail in apt-secure(8). Starting with Debian 10 Buster the signed file is the InRelease
file, provided by the Debian mirrors. There is also a legacy file called Release
. Both contain a list of the Packages
files (including their compressed forms, Packages.gz
and Packages.xz
, and the incremental versions), along with their SHA256 hashes, which ensures that the files haven't been tampered with. These Packages
files contain a list of the Debian packages available on the mirror, along with their hashes, which ensures in turn that the contents of the packages themselves haven't been altered either. The difference between InRelease
and Release
is that the former is cryptographically signed in-line, whereas the latter provides a detached signature in the form of the file Release.gpg
.
APT needs a set of trusted GnuPG public keys to verify signatures in the InRelease
and Release.gpg
files available on the mirrors. It gets them from files in /etc/apt/trusted.gpg.d/
and from the /etc/apt/trusted.gpg
keyring (managed by the apt-key
command). The official Debian keys are provided and kept up-to-date by the debian-archive-keyring package which puts them in /etc/apt/trusted.gpg.d/
:
#
ls /etc/apt/trusted.gpg.d/
debian-archive-bullseye-automatic.gpg
debian-archive-bullseye-security-automatic.gpg
debian-archive-bullseye-stable.gpg
debian-archive-buster-automatic.gpg
debian-archive-buster-security-automatic.gpg
debian-archive-buster-stable.gpg
debian-archive-stretch-automatic.gpg
debian-archive-stretch-security-automatic.gpg
debian-archive-stretch-stable.gpg
Once the appropriate keys are in the keyring, APT will check the signatures before any risky operation, so that frontends will display a warning if asked to install a package whose authenticity can't be ascertained.
Note, that binary packages are usually not signed. The integrity of a package can only be confirmed by checking its hashsums against a trusted (and possibly signed) hashsum source.