Provided by: apt_0.6.43.3ubuntu2_i386 bug


       apt-secure - Archive authentication support for APT


       Starting  with  version  0.6,  apt  contains  code  that does signature
       checking of the Release  file  for  all  archives.  This  ensures  that
       packages  in the archive can’t be modified by people who have no access
       to the Release file signing key.

       If a package comes from  a  archive  without  a  signature  or  with  a
       signature  that  apt does not have a key for that package is considered
       untrusted and installing it will result in a big warning. apt-get  will
       currently  only warn for unsigned archives, future releases might force
       all sources to be verified before downloading packages from them.

       The package frontends apt-get(8), aptitude(8) and  synaptic(8)  support
       this new authentication feature.


       The  chain  of  trust from an apt archive to the end user is made up of
       different steps. apt-secure is the last step in this chain, trusting an
       archive  does  not  mean  that  the  packages  that you trust it do not
       contain malicious code but means that you trust the archive maintainer.
       Its  the  archive  maintainer responsibility to ensure that the archive
       integrity is correct.

       apt-secure does not review  signatures  at  a  package  level.  If  you
       require  tools  to do this you should look at debsig-verify and debsign
       (provided in the debsig-verify and devscripts packages respectively).

       The chain of trust in Debian starts when a  maintainer  uploads  a  new
       package  or  a  new  version  of  a package to the Debian archive. This
       upload in order to become effective needs to be signed by a  key  of  a
       maintainer  within  the  Debian  maintainer’s keyring (available in the
       debian-keyring  package).  Maintainer’s  keys  are  signed   by   other
       maintainers following pre-established procedures to ensure the identity
       of the key holder.

       Once the uploaded package is verified and included in the archive,  the
       maintainer  signature  is  stripped  off,  an MD5 sum of the package is
       computed and put in the Packages file.  The  MD5  sum  of  all  of  the
       packages  files  are  then  computed and put into the Release file. The
       Release file is then signed by the archive key (which is created once a
       year  and  distributed  through the FTP server. This key is also on the
       Debian keyring.

       Any end user can check the signature of the Release file,  extract  the
       MD5  sum  of  a  package from it and compare it with the MD5 sum of the
       package he downloaded. Prior to version 0.6 only the  MD5  sum  of  the
       downloaded  Debian  package  was  checked. Now both the MD5 sum and the
       signature of the Release file are checked.

       Notice that this is distinct from checking signatures on a per  package
       basis. It is designed to prevent two possible attacks:

       ·  Network  "man  in the middle" attacks. Without signature checking, a
          malicious agent  can  introduce  himself  in  the  package  download
          process  and  provide  malicious  software  either  by controlling a
          network element (router, switch, etc.) or by redirecting traffic  to
          a rogue server (through arp or DNS spoofing attacks).

       ·  Mirror  network  compromise. Without signature checking, a malicious
          agent can compromise a mirror host and modify the  files  in  it  to
          propagate  malicious software to all users downloading packages from
          that host.

       However, it does not defend against a compromise of the  Debian  master
       server itself (which signs the packages) or against a compromise of the
       key used to sign the Release files. In any  case,  this  mechanism  can
       complement a per-package signature.


        apt-key  is  the program that manages the list of keys used by apt. It
       can be used to add or remove keys  although  an  installation  of  this
       release  will  automatically provide the default Debian archive signing
       keys used in the Debian package repositories.

       In order to add a new key you need to first  download  it  (you  should
       make sure you are using a trusted communication channel when retrieving
       it), add it with apt-key and then run apt-get update so  that  apt  can
       download  and  verify  the Release.gpg files from the archives you have


       If you want to provide archive signatures  in  an  archive  under  your
       maintenance you have to:

       ·  Create  a  toplevel  Release file. if it does not exist already. You
          can do  this  by  running  apt-ftparchive  release  (provided  inftp

       ·  Sign it. You can do this by running gpg -abs -o Release.gpg Release.

       ·  Publish the key fingerprint, that way your users will know what  key
          they  need  to  import  in  order  to  authenticate the files in the

       Whenever the contents of the archive changes (new packages are added or
       removed)  the  archive  maintainer  has  to  follow the first two steps
       previously outlined.


        apt.conf(5), apt-get(8), sources.list(5), apt-key(8),  apt-archive(1),
       debsign(1)  debsig-verify(1), gpg(1)

       For  more  backgound  information  you  might want to review the Debian
       Security  Infrastructure:
       debian-howto/ch7.en.html   chapter   of   the  Securing  Debian  Manual
       (available also in the harden-doc package) and the Strong  Distribution
       HOWTO: by V. Alex


       APT bug page: If you wish to  report  a
       bug  in  APT, please see /usr/share/doc/debian/bug-reporting.txt or the
       reportbug(1) command.


       APT was written by the APT team <>.


       This man-page is based on the work of Javier  Fernández-Sanguino  Peña,
       Isaac Jones, Colin Walters, Florian Weimer and Michael Vogt.


       Jason Gunthorpe.