6.6. 检查软件包真伪

Falcot 公司的管理极重视安全。因此,他们只安装 Debian 保证无窜改的软件包。电脑怪客可能在合法的软件包巾加入若干恶意代码。若安装了这种软件包,就会运行怪客要它做的事,包括泄露密码或隐私信息。为避过这个风险,Debian 有个机制在安装时避过此纂改的风险,只安装来自官方维护者的软件包且未经第三方修改。

The seal works with a chain of cryptographical hashes and a signature and is explained in detail in apt-secure(8). Starting with Debian 10 Buster the signed file is the InRelease file, provided by the Debian mirrors. There is also a legacy file called Release. Both contain a list of the Packages files (including their compressed forms, Packages.gz and Packages.xz, and the incremental versions), along with their SHA256 hashes, which ensures that the files haven’t been tampered with. These Packages files contain a list of the Debian packages available on the mirror, along with their hashes, which ensures in turn that the contents of the packages themselves haven’t been altered either. The difference between InRelease and Release is, that the former are cryptographically signed in-line, whereas the latter provide a detached signature in the form of the file Release.gpg.

NOTE The future of Release and Release.gpg

Probably with the release of Debian 11 Bullseye APT will remove support for the legacy files Release and Release.gpg, used since APT 0.6, which introduced support for an archive authentication.

APT needs a set of trusted GnuPG public keys to verify signatures in the InRelease and Release.gpg files available on the mirrors. It gets them from files in /etc/apt/trusted.gpg.d/ and from the /etc/apt/trusted.gpg keyring (managed by the apt-key command). The official Debian keys are provided and kept up-to-date by the debian-archive-keyring package which puts them in /etc/apt/trusted.gpg.d/. Note, however, that the first installation of this particular package requires caution: even if the package is signed like any other, the signature cannot be verified externally. Cautious administrators should therefore check the fingerprints of imported keys before trusting them to install new packages:

  1. #

实务上 添加可信任的钥匙

将第三方软件包来源加入 sources.list 文件后,必须告知 APT 信任对应的 GPG 认证密钥 (否则将继续抱怨且无法确认来自该典藏所的软件包)。第一步是取得公钥。多半以一个小小的纯文本档做为公钥,在下面的例子里,我们称它为 key.asc

To add the key to the trusted keyring, the administrator can just put it in a *.asc file in /etc/apt/trusted.gpg.d/. This is supported since Debian Stretch. With older releases, you had to run apt-key add < key.asc.

适当的钥纳入钥匙圈后,APT 将检查签章后才会运行任何危险的操作,若要求安装的软件包其认证不明确时,前端将出现警示消息。