Ubuntu – Are ubuntu packages (deb-files) only md5sum secured

hashmd5sumpackage-managementrepository

Introductory Background to the question below###

(so the question is more usable to more people)
Inside of an Ubuntu/debian-style package (*.deb file) there is a file named
/DEBIAN/md5sums which has a content of this form:

212ee8d0856605eb4546c3cff6aa6d35  usr/bin/file1
4131b66dc3913fcbf795159df912809f  path/to/file2
8c21de23b7c25c9d1a093607fc27656a  path/to/file3
c6d010a475366e0644f3bf77d7f922fd  path/to/place/of/file4

As I assume this file will be used to check that the files which come with the package have not been corrupted somehow. Since the file is called `/DEBIAN/md5sums" I assume the hexnumber before the path+filename is the MD5 Message-Digest Algorithm Hash of the package's files.

Now everybody interested knows that the MD5 Hash has been broken already long time ago. Therefore it is totally possible to change the content of a file in the package (e.g maliciously) and still have the file having the same MD5-Hash (see for instance Prove of concept "Predicting the winner….").

Question

Bearing in mind the information above I want to know the following:

**Assuming I install a package in my Ubuntu system. Is the DEBIAN/md5sums the only means to make sure the data has not been tampered with? **

Answering the question I think it could help to figure out the following:

  • Are the deb packages as a whole also hashed(Hashvalues made for) so that there is another way to make safe the files received are "safe"/"untampered"
  • If there are other ways then the DEBIAN/md5sums file to ensure integrity, what is the file included in the *.deb packages anyhow?
  • Does Ubuntu use hashes for repository/package-system that are "less broken" than SHA-1 and MD5?

which unfortunately I do not know either.

Any reponse which can shed light on the question (or even only a subquestion) is very welcome

update

(1)
https://help.ubuntu.com/community/Repositories/Ubuntu#Authentication_Tab seems to indicate that there is (as I hoped for) some public/private gpg key going on (to keep the repos and package systems) safe from attacks. The information at the linked location is not very much though. It tells almost nothing about the security aspect of the Package-system. Anyhow I assume the link already indicates that the answer for the question will be "NO -at least the deb packages from the repo – are also secured by …. ". Hope somebody has some insights to use for an answer here.

(2)
This question seems to be also about the topic of "security" in Ubuntu package system. So I just add it here so its ad hand if somebody strives to figure the question out: Why are the proposed BADSIG (on apt-get update) fixes secure?

Best Answer

Ubuntu publishes a manifest that is signed with an RSA key. The manifest lists individual Packages index files, each with MD5, SHA-1 and SHA-256 hashes. Each Packages file lists individual .deb files with MD5, SHA-1 and SHA-256 hashes.

For verification, apt uses the best hash that it supports and is published by the archive it is downloading from. In the case of the Ubuntu archive, this is SHA-256.

So the entire chain of installing packages on your Ubuntu system is protected by RSA and SHA-256.

The MD5 protection that exists in dpkg is really only useful for accidental corruption, and not necessary to protect the installation path.

You might be interested in the debsums package, but since it uses MD5s, it also is only useful for checking for accidental corruption.

If you want to check for malicious system modification, then these are not the appropriate tools for you. You will need to take the system offline and check against either a previous record, the original package files, or secure hashes generated from these.

Note that since a successful malicious modification might be to simply downgrade a package to the one prior to a security update, checking that all installed package files match against their originals may not be sufficient either.