Control: severity -1 normal Control: tag -1 +moreinfo Hello Stuart,
On Thu, 2017-08-10 at 23:17 +1000, Stuart Prescott wrote: > apt-offline claims to do gpg validation of the contents of the zip > file and > claims that this is an important thing for it to do. > > --allow-unauthenticated > Don't verify GPG signatures for the data to be installed > to APT. > Usage of this option is highly discouraged. > > However, it appears that apt-offline only verifies the GPG signature > on the > Release file. If that check passes, then it is assumed that all > referenced > resources (Packages files) are OK and apt-offline does not check that > the > hashes for the Packages files are indeed correct. Yes. We only check the Release file, which contains the checksum details for the Packages file, which in turn contains the checksum details for all data (.debs). > These Packages files are > then fed directly to apt. Once apt has been fed a manipulated > Packages file, > it will then trust the .deb packages that it refers to. > No. They aren't fed directly. We follow the same process that apt does. We sync them to the partial location and then apt do the verification. > One can take a zip bundle, decompress it, alter the Packages file and > the altered > file was no rejected by "apt-offline install bundle.zip". > > It seems that the existing GPG check of the Release file is rather > pointless > and gives a false sense of security validation. Either the bundle.zip > has been > securely handled all along and the GPG check is unnecessary, or > bundle.zip has > not been securely handled and it is incorrectly trusted. Let's take a deb example here: rrs@priyasi:~$ sudo apt upgrade [sudo] password for rrs: Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages were automatically installed and are no longer required: snap-confine ubuntu-core-launcher Use 'sudo apt autoremove' to remove them. The following packages have been kept back: inkscape libgsl2 The following packages will be upgraded: linux-libc-dev 1 upgraded, 0 newly installed, 0 to remove and 2 not upgraded. Need to get 0 B/1,331 kB of archives. After this operation, 24.6 kB disk space will be freed. Do you want to continue? [Y/n] n Abort. 15:51 ♒♒♒ ☹ => 1 rrs@priyasi:~$ apt policy linux-libc-dev linux-libc-dev: Installed: 4.12.8+-45 Candidate: 4.13~rc5-1~exp1 Version table: 4.13~rc5-1~exp1 100 100 http://deb.debian.org/debian experimental/main amd64 Packages *** 4.12.8+-45 100 100 /var/lib/dpkg/status 4.12.6-1 500 500 http://deb.debian.org/debian unstable/main amd64 Packages 4.11.6-1 900 900 http://deb.debian.org/debian testing/main amd64 Packages 15:51 ♒♒♒ ☺ rrs@priyasi:~$ cd /var/cache/apt/archives/ 15:51 ♒♒♒ ☺ rrs@priyasi:/var/cache/apt/archives$ ls -lh linux-libc-dev_4.13~rc5- 1~exp1_amd64.deb -rw-r--r-- 1 root root 1.3M Aug 17 01:24 linux-libc-dev_4.13~rc5- 1~exp1_amd64.deb 15:51 ♒♒♒ ☺ rrs@priyasi:/var/cache/apt/archives$ su -c "echo abc > linux-libc- dev_4.13~rc5-1~exp1_amd64.deb " Password: 15:52 ♒♒♒ ☺ rrs@priyasi:/var/cache/apt/archives$ ls -lh linux-libc-dev_4.13~rc5- 1~exp1_amd64.deb -rw-r--r-- 1 root root 4 Aug 18 15:52 linux-libc- dev_4.13~rc5-1~exp1_amd64.deb 15:52 ♒♒♒ ☺ rrs@priyasi:/var/cache/apt/archives$ sudo apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages were automatically installed and are no longer required: snap-confine ubuntu-core-launcher Use 'sudo apt autoremove' to remove them. The following packages have been kept back: inkscape libgsl2 The following packages will be upgraded: linux-libc-dev 1 upgraded, 0 newly installed, 0 to remove and 2 not upgraded. Need to get 1,331 kB of archives. After this operation, 24.6 kB disk space will be freed. Do you want to continue? [Y/n] ^C 15:58 ♒♒♒ ☹ => 130 -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System
signature.asc
Description: This is a digitally signed message part
