Home / ubuntu / Questions / 509487
Accepted
kasperd
Asked: 2014-08-11 10:57:23 +0800 CST

What's the official method for checking integrity of a source package?

  • 772

I want to add a feature to pam, and I figured a good starting point was to download the libpam-modules source. On download, I notice this warning: gpgv: Can't check signature: public key not found

What is the official method for verifying the integrity of source packages, when apt-get cannot find the public key?

The newest version of ubuntu-keyring and debian-keyring packages are installed already.

There are ways to find the corresponding public key and install it. However that in itself does not provide integrity, because in effect it is trusting the contents of the dsc file to tell me which public key to use to verify the signature on the dsc file.

Is the gpg signature on the dsc file a critical part of the integrity verification? Could a man in the middle or a rouge mirror serve a malicious version of the file where the warning from gpg is the only indication something bad is happening? Or does apt-get have other means of validating the integrity?

Where would I find official documentation on the security model? Ideally I would like to understand the full trust path from the install image to the source package I am downloading.

The full output from the download was this:

$ apt-get source libpam-modules
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Picking 'pam' as source package instead of 'libpam-modules'
NOTICE: 'pam' packaging is maintained in the 'Bzr' version control system at:
https://code.launchpad.net/~ubuntu-core-dev/pam/ubuntu
Please use:
bzr branch https://code.launchpad.net/~ubuntu-core-dev/pam/ubuntu
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 2,043 kB of source archives.
Get:1 http://dk.archive.ubuntu.com/ubuntu/ trusty/main pam 1.1.8-1ubuntu2 (dsc) [2,510 B]
Get:2 http://dk.archive.ubuntu.com/ubuntu/ trusty/main pam 1.1.8-1ubuntu2 (tar) [1,893 kB]
Get:3 http://dk.archive.ubuntu.com/ubuntu/ trusty/main pam 1.1.8-1ubuntu2 (diff) [147 kB]
Fetched 2,043 kB in 6s (316 kB/s)                                              
gpgv: Signature made Fri 31 Jan 2014 11:12:23 PM CET using RSA key ID 64792D67
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./pam_1.1.8-1ubuntu2.dsc
apt

2 Answers

  1. Best Answer

    The integrity of the source package can be verified without validating the gpg signature on the dsc file.

    Each installation source has a pair of files called Release and Release.gpg. These two files are the root of a hash tree, which can be used to validate the integrity of everything in the archive. The gpg signature on Release is the only one which need to be verified.

    The signature on the dsc file may serve an important purpose before the file is put into a repository and indirectly signed through Release.gpg. Once the file is in the repository, the signature on the dsc file can be ignored.

    Here is how I could manually verify the integrity. As far as I can tell, apt-get source does the same validation.

    1. Download http://dk.archive.ubuntu.com/ubuntu/dists/trusty/Release and http://dk.archive.ubuntu.com/ubuntu/dists/trusty/Release.gpg.
    2. Check the signature using gpg --keyring /etc/apt/trusted.gpg --verify Release.gpg Release (The public key can also be found in /usr/share/keyrings/ubuntu-archive-keyring.gpg)
    3. Download http://dk.archive.ubuntu.com/ubuntu/dists/trusty/main/source/Sources.gz
    4. Compare hashes obtained from sha256sum Sources.gz and grep main/source/Sources.gz Release
    5. Compare hashes obtained from sha256sum pam_1.1.8-1ubuntu2.dsc and zcat Sources.gz | grep pam_1.1.8-1ubuntu2.dsc
    6. Validate hashes found within the dsc file: cat pam_1.1.8-1ubuntu2.dsc | sed -e 's/^ //;s/ [1-9][0-9]* / /' | sha256sum -c
    • 3

  2. The reason you see that warning is because the source packages are signed by the developer's own key, while the binary packages you get from the repo are signed by the repo signing key. Since ubuntu-keyring only gives the keyring of the final repo (debian-keyring actually also provides the public keys of all of its maintainers), apt can't find the key and considers the package unauthenticated.

    Therefore, the solution here is to import the key from a keyserver. You can also look up the source package on Launchpad (pam is here), click on the email address of the person who made the last change for a package, and check the key fingerprint from there.

    In this case, the last person to change the package was Stéphane Graber, and it just so happens that his key is in debian-keyring (specifically, in /usr/share/keyrings/debian-maintainers.gpg). You can install the debian-keyring package, export his key from that keyring, and import that key into your own keyring so that apt can verify that it is properly signed.

    • 1