Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Are official Debian repositories secure/https?

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
Bryan Hammond
Posts: 18
Joined: 2014-12-03 03:41

Are official Debian repositories secure/https?

#1 Post by Bryan Hammond »

In Synaptic I was surprised to see that none of the default Debian 11.3 repositories were "https".
Does this indicate my installation is corrupted?

I downloaded Debian 11.3 from an official Debian repository, the check-sums were fine, but I haven't been able to figure out how to check the PGP SIGNATURE for Deb 11,3 SHA512 (and 256) SUMS files, so I don't know if there is a problem there.

User avatar
sunrat
Administrator
Administrator
Posts: 6382
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 115 times
Been thanked: 456 times

Re: Are official Debian repositories secure/https?

#2 Post by sunrat »

I'm no expert on this but apt checks authenticity of downloaded packages with GnuPG - https://debian-handbook.info/browse/sta ... ation.html

Also - https://debian-handbook.info/browse/stable/apt.html

You can change your sources to https if it makes you feel better, not sure if it matters though:

Code: Select all

deb https://deb.debian.org/debian/ bullseye main contrib non-free

deb https://deb.debian.org/debian-security bullseye-security main

deb https://deb.debian.org/debian bullseye-updates main contrib non-free
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

Shamak
Posts: 147
Joined: 2018-04-14 00:33
Has thanked: 11 times
Been thanked: 8 times

Re: Are official Debian repositories secure/https?

#3 Post by Shamak »

Bryan Hammond wrote: 2022-06-25 23:49
I downloaded Debian 11.3 from an official Debian repository, the check-sums were fine, but I haven't been able to figure out how to check the PGP SIGNATURE for Deb 11,3 SHA512 (and 256) SUMS files, so I don't know if there is a problem there.
I follow this guide for verifying a Debian iso including the signatures.

https://linuxconfig.org/how-to-verify-a ... iso-images

I certainly am no expert but it echoes what other distributions recommend so I think it's right.

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2020
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 138 times
Been thanked: 204 times

Re: Are official Debian repositories secure/https?

#4 Post by Hallvor »

From the Arch wiki on package signing.

In short, https is pointless, since every downloaded package is checked against GPG signatures.
Debian
Binary packages (.deb)

To sum up, the GPG signature is included in the .deb.

Details:

Regular non signed binary packages are "ar" archives of at least 3 files:

data.tar.gz (files to be installed)
control.tar.gz (package metadata)
debian-binary (contains the version of the deb format)

Signed packages also have a _gpgorigin file at the root of the .deb that is a "gpg -abs" of the concatenation of the 3 laters (as explained here):

cat debian-binary control.tar.gz data.tar.gz > /tmp/combined-contents
gpg -abs -o _gpgorigin /tmp/combined-contents (-a "Create ASCII armored output" ; -b "detach signature" ; -s "sign")

https://wiki.archlinux.org/title/Develo ... e_checking


There is also debsums in the repository to verify the installed packages against MD5 checksums.

Code: Select all

debsums/stable,stable 3.0.2 all
  tool for verification of installed package files against MD5 checksums
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

Bryan Hammond
Posts: 18
Joined: 2014-12-03 03:41

Re: Are official Debian repositories secure/https?

#5 Post by Bryan Hammond »

sunrat wrote: 2022-06-26 01:28 I'm no expert on this but apt checks authenticity of downloaded packages with GnuPG - https://debian-handbook.info/browse/sta ... ation.html

Also - https://debian-handbook.info/browse/stable/apt.html
I checked both those links, and got a similar result to what one of them displayed - that included 3 fingerprints related to Bullseye... seems positive, but I don't know how to make use of them to confirm anything. I'm wondering if they can be used to confirm results to what I tried in response to the Reply below yours - to confirm the checksum signatures for my Debian 11.3 iso really are "BAD". See the screenshot attachment to that reply, if its of interest.
You can change your sources to https if it makes you feel better, not sure if it matters though:
I did change them... even if it just gives me a bit of false security.

So, Thanks, these seem to be steps in the right direction.

Bryan Hammond
Posts: 18
Joined: 2014-12-03 03:41

Re: Are official Debian repositories secure/https?

#6 Post by Bryan Hammond »

Shamak wrote: 2022-06-26 04:02
Bryan Hammond wrote: 2022-06-25 23:49
I downloaded Debian 11.3 from an official Debian repository, the check-sums were fine, but I haven't been able to figure out how to check the PGP SIGNATURE for Deb 11,3 SHA512 (and 256) SUMS files, so I don't know if there is a problem there.
I follow this guide for verifying a Debian iso including the signatures.

https://linuxconfig.org/how-to-verify-a ... iso-images

I certainly am no expert but it echoes what other distributions recommend so I think it's right.
Thank you Shamak. I tried what's advised in your link, and the 256 and 512 checksums for the iso say "binary file matches"... which I assume means "OK"? I'd confirmed that much with "GtkHash" right after I downloaded the iso. However, with your link I could finally check the ".sign" (pgp) checksums, and got the results "BAD" signature. SO, I can't trust that iso download, right.

I'm curious though, do you know if/how I could use the pgp fingerprints I got through steps I tried with the links in the previous reply, to reconfirm that the pgp signatures really are BAD. I'm attaching a screenshot of the cmds and results in my terminal. As it is now, I've concluded that I should delete that Debian 11.3 install, and iso.
Attachments
Scrn,Apt-key fingerprint, cmd & results, 2022-06-28.png
Scrn,Apt-key fingerprint, cmd & results, 2022-06-28.png (148.35 KiB) Viewed 1229 times

Shamak
Posts: 147
Joined: 2018-04-14 00:33
Has thanked: 11 times
Been thanked: 8 times

Re: Are official Debian repositories secure/https?

#7 Post by Shamak »

Bryan Hammond wrote: 2022-06-28 23:19
Shamak wrote: 2022-06-26 04:02
Bryan Hammond wrote: 2022-06-25 23:49
I downloaded Debian 11.3 from an official Debian repository, the check-sums were fine, but I haven't been able to figure out how to check the PGP SIGNATURE for Deb 11,3 SHA512 (and 256) SUMS files, so I don't know if there is a problem there.
I follow this guide for verifying a Debian iso including the signatures.

https://linuxconfig.org/how-to-verify-a ... iso-images

I certainly am no expert but it echoes what other distributions recommend so I think it's right.
Thank you Shamak. I tried what's advised in your link, and the 256 and 512 checksums for the iso say "binary file matches"... which I assume means "OK"? I'd confirmed that much with "GtkHash" right after I downloaded the iso. However, with your link I could finally check the ".sign" (pgp) checksums, and got the results "BAD" signature. SO, I can't trust that iso download, right.

I'm curious though, do you know if/how I could use the pgp fingerprints I got through steps I tried with the links in the previous reply, to reconfirm that the pgp signatures really are BAD. I'm attaching a screenshot of the cmds and results in my terminal. As it is now, I've concluded that I should delete that Debian 11.3 install, and iso.
To be honest this is really above my pay grade. However I could add a few details that no one seems to mention in doing this stuff.

Change to the directory your signature, sums, and iso are in. So if they're in the Downloads folder you would

Code: Select all

cd ~/Downloads
Change "netinst" in the first step to "OK" without the quote marks.

Change "6294BE9B" to whatever your output is.

If everything's ok your outputs should pretty much look like what's on that guide.

Bryan Hammond
Posts: 18
Joined: 2014-12-03 03:41

Re: Are official Debian repositories secure/https?

#8 Post by Bryan Hammond »

Thanks for trying to help. I've checked the links that sunrat, Shamak, and Hallvor have sent, and tried cmds that I could understand. Too much is over my head, and I don't seem to have the ability to change that. The cmd line and I don't get along... I need GUIs. As far as I can tell the checksums for the iso indicate its good, but the signatures are BAD. I'm giving up on this install of Debian 11.3, and will delete its partitions. Will see if I have better luck with Ubuntu or Trisquel.

User avatar
sunrat
Administrator
Administrator
Posts: 6382
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 115 times
Been thanked: 456 times

Re: Are official Debian repositories secure/https?

#9 Post by sunrat »

I would guess your methodology for checking the signatures is incorrect. If the checksums match the file is probably fine.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

Post Reply