Sometime ago, I was reading an article by Kurt Seifried at securityportal.com regarding debian not using digital certificates for their packages, and how this affected security. Being a debian user, and an admirer of apt in particular, I have often thought about how this functionality could be added to apt. I am only an intermediate programmer myself, however.
I was wondering if there were any plans to incorporate digital certificate checking with apt? I had an idea where gnupg could be used. Have each debian maintainer have generate a gnupg key pair that is for use with debian. Make their public keys available on a debian public keyring. Then, the maintainers can encrypt the md5 checksum that they would normally generate for the Packages.gz file with their debian gnupg secret key. So that Packages.gz would not have to change, a Packages.md5.gz file could be created which would contain this encrypted md5 sum. Apt could then be modified to be given a flag (like 'secure') that can be used to download this encrypted key, then decrypt it with the public key from the maintainer, and get the checksum that way. Perhaps there would be a better way to do this, however, this solution does not change the Packages.gz format (though of course a more elegant solution would), and apt would not be required to use the new secure option (I am thinking about US export laws, etc). This would retain backward compatibility, and added security at a relatively low cost (a few extra files on the mirror sites, the debian public key ring, eand of course some coding!). To comply with US export laws, there could be two versions of apt: apt and apt-gnupg. Apt would remain the same (ie compiled without the added security feature above). Apt-gnupg would then depend on gnupg, and during the install of apt-gnupg the gnupg public key rings would of course have to be downloaded to initialize apt for decryption of the checksum. I also thought about openssl, however I thought that this solution would be better because there is no cost involved in using gnupg, but there is in getting a certificate used for verification with openssl. Please let me know if I am way off base or if digital signatures are in the works for apt, so I can stop thinking about it! :-) Thanks, James Strandboge
