Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: what happens with a faked repository

  1. #11
    Join Date
    Dec 2007
    Location
    California
    Beans
    4,899
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: what happens with a faked repository

    I know apt-get gives you a warning and asks if you'd like to install anyways. I don't think I've ever seen it happen in update manager, but I am fairly certain (85% sure) it refuses to do it and tells you to fix the problem.
    "You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"

    "Don't let your mind wander -- it's too little to be let out alone."

  2. #12
    Join Date
    Jul 2005
    Beans
    412

    Re: what happens with a faked repository

    I know apt-get gives you a warning and asks if you'd like to install anyways.
    So, what you are saying is that apt will give a warning if the signatures of the malicious upgrades(updates) from the fake repository don't match the signatures on the packages in the genuine repository? Are you sure about that? Sorry, I am a little worried about this. that's why I'm asking this question.

    What happens if the malicious upgrades(updates) from the fake repository do not have any signature? In this case, will apt-get still give a warning or will it just perform the update(upgrade) with no warning at all and install those malicious upgrades(updates)?

  3. #13
    Join Date
    Dec 2007
    Location
    California
    Beans
    4,899
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: what happens with a faked repository

    snip

    On my computer now, no signature is the same as a bad one.

    Read up about it here: https://help.ubuntu.com/community/SecureApt

    This is what apt-get update looks like when you see the error
    Code:
    W: GPG error: http://ftp.us.debian.org testing Release: The following signatures  couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
    This is what apt-get upgrade looks like

    Code:
    WARNING: The following packages cannot be authenticated!   libglib-perl libgtk2-perl Install these packages without verification [y/N]?
    Last edited by jerome1232; November 11th, 2012 at 05:42 AM.
    "You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"

    "Don't let your mind wander -- it's too little to be let out alone."

  4. #14
    Join Date
    Sep 2011
    Beans
    1,531

    Re: what happens with a faked repository

    Based on my experience when I hadn't gotten the pgp keys for some repositories, the Update Manager will simply fail to install the unsigned updates by default. On the command line you're given the option to allow them to install anyway, but it gives you a pretty clear warning.

  5. #15
    Join Date
    Jul 2005
    Beans
    412

    Re: what happens with a faked repository

    Hello, It is still not clear to me what happens when the faked repository tries to give malicious updates(upgrades) to my computer and those updates(upgrades) have no signature. In this case, will apt-get give the same warning it gives when it finds malicious updates(upgrades) which have a signature different from the signatures on packages in the genuine repository?

  6. #16
    Join Date
    Dec 2007
    Location
    California
    Beans
    4,899
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: what happens with a faked repository

    Yes, no signature is the same as a bad signature as far as apt-get is concerned.

    That's actually usually the situation that arises because either the developer forgot to sign his packages or someone added a ppa and forgot to add the public key so apt-get can check the packages.
    "You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"

    "Don't let your mind wander -- it's too little to be let out alone."

  7. #17
    Join Date
    Jul 2005
    Beans
    412

    Re: what happens with a faked repository

    Thank You all for your help. Cheers!!!!


    Actually, just one more thing. From the posts in this thread, what I understand is that I can't end up installing malicious updates(upgrades) from a fake repository(for example in the scenario I mentioned in my first post) without apt-get issuing me warnings. Is that right?
    Last edited by jsvidyad; November 11th, 2012 at 06:19 AM.

  8. #18
    Join Date
    Jul 2005
    Beans
    412

    Re: what happens with a faked repository

    Sorry. Just hoping someone would reply.

  9. #19
    Join Date
    Jul 2005
    Beans
    412

    Re: what happens with a faked repository

    Can someone please help me here.

  10. #20
    Join Date
    Dec 2007
    Location
    California
    Beans
    4,899
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: what happens with a faked repository

    Wait at least 24 hours before bumping your own thread, it's considered rude to bump it so quickly, could you imagine what this forum would be like if everybody did that?


    Yes, apt-get checks packages to make sure they are signed by the private key, so long as the private key is kept just that, private, you can be sure it's the correct package from the person you expect it from.
    "You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"

    "Don't let your mind wander -- it's too little to be let out alone."

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •