Quelle est la méthode officielle pour vérifier l'intégrité d'un paquet source?


4

Je veux ajouter une fonctionnalité à pam, et j'ai pensé qu'un bon point de départ était de télécharger la source libpam-modules.Lors du téléchargement, je remarque cet avertissement: gpgv: Can't check signature: public key not found

Quelle est la méthode officielle pour vérifier l'intégrité des paquets sources, lorsque apt-get ne parvient pas à trouver la clé publique?

La dernière version des packages ubuntu-keyring et debian-keyring est déjà installée.

Il y a un2020_0 pour trouver la clé publique correspondante et l'installer.Cependant, cela en soi ne garantit pas l'intégrité, car en fait, il fait confiance au contenu du fichier dsc pour me dire quelle clé publique utiliser pour vérifier la signature sur le fichier dsc.

La signature gpg sur le fichier dsc est-elle un élément critique de la vérification de l'intégrité?Un homme au milieu ou un miroir rouge pourrait-il servir une version malveillante du fichier où l'avertissement de gpg est la seule indication que quelque chose de mauvais se passe?Ou apt-get a-t-il d'autres moyens de valider l'intégrité?

Où trouver la documentation officielle sur le modèle de sécurité?Idéalement, je voudrais comprendre le chemin de confiance complet de l'image d'installation au package source que je télécharge.

La sortie complète du téléchargement était la suivante:

$ apt-get source libpam-modules
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Picking 'pam' as source package instead of 'libpam-modules'
NOTICE: 'pam' packaging is maintained in the 'Bzr' version control system at:
https://code.launchpad.net/~ubuntu-core-dev/pam/ubuntu
Please use:
bzr branch https://code.launchpad.net/~ubuntu-core-dev/pam/ubuntu
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 2,043 kB of source archives.
Get:1 http://dk.archive.ubuntu.com/ubuntu/ trusty/main pam 1.1.8-1ubuntu2 (dsc) [2,510 B]
Get:2 http://dk.archive.ubuntu.com/ubuntu/ trusty/main pam 1.1.8-1ubuntu2 (tar) [1,893 kB]
Get:3 http://dk.archive.ubuntu.com/ubuntu/ trusty/main pam 1.1.8-1ubuntu2 (diff) [147 kB]
Fetched 2,043 kB in 6s (316 kB/s)                                              
gpgv: Signature made Fri 31 Jan 2014 11:12:23 PM CET using RSA key ID 64792D67
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./pam_1.1.8-1ubuntu2.dsc
1

The reason you see that warning is because the source packages are signed by the developer's own key, while the binary packages you get from the repo are signed by the repo signing key. Since ubuntu-keyring only gives the keyring of the final repo (debian-keyring actually also provides the public keys of all of its maintainers), apt can't find the key and considers the package unauthenticated.

Therefore, the solution here is to import the key from a keyserver. You can also look up the source package on Launchpad (pam is here), click on the email address of the person who made the last change for a package, and check the key fingerprint from there.

In this case, the last person to change the package was Stéphane Graber, and it just so happens that his key is in debian-keyring (specifically, in /usr/share/keyrings/debian-maintainers.gpg). You can install the debian-keyring package, export his key from that keyring, and import that key into your own keyring so that apt can verify that it is properly signed.


3

The integrity of the source package can be verified without validating the gpg signature on the dsc file.

Each installation source has a pair of files called Release and Release.gpg. These two files are the root of a hash tree, which can be used to validate the integrity of everything in the archive. The gpg signature on Release is the only one which need to be verified.

The signature on the dsc file may serve an important purpose before the file is put into a repository and indirectly signed through Release.gpg. Once the file is in the repository, the signature on the dsc file can be ignored.

Here is how I could manually verify the integrity. As far as I can tell, apt-get source does the same validation.

  1. Download http://dk.archive.ubuntu.com/ubuntu/dists/trusty/Release and http://dk.archive.ubuntu.com/ubuntu/dists/trusty/Release.gpg.
  2. Check the signature using gpg --keyring /etc/apt/trusted.gpg --verify Release.gpg Release (The public key can also be found in /usr/share/keyrings/ubuntu-archive-keyring.gpg)
  3. Download http://dk.archive.ubuntu.com/ubuntu/dists/trusty/main/source/Sources.gz
  4. Compare hashes obtained from sha256sum Sources.gz and grep main/source/Sources.gz Release
  5. Compare hashes obtained from sha256sum pam_1.1.8-1ubuntu2.dsc and zcat Sources.gz | grep pam_1.1.8-1ubuntu2.dsc
  6. Validate hashes found within the dsc file: cat pam_1.1.8-1ubuntu2.dsc | sed -e 's/^ //;s/ [1-9][0-9]* / /' | sha256sum -c