I know apt-get gives you a warning and asks if you'd like to install anyways. I don't think I've ever seen it happen in update manager, but I am fairly certain (85% sure) it refuses to do it and tells you to fix the problem.
I know apt-get gives you a warning and asks if you'd like to install anyways. I don't think I've ever seen it happen in update manager, but I am fairly certain (85% sure) it refuses to do it and tells you to fix the problem.
"You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"
"Don't let your mind wander -- it's too little to be let out alone."
So, what you are saying is that apt will give a warning if the signatures of the malicious upgrades(updates) from the fake repository don't match the signatures on the packages in the genuine repository? Are you sure about that? Sorry, I am a little worried about this. that's why I'm asking this question.I know apt-get gives you a warning and asks if you'd like to install anyways.
What happens if the malicious upgrades(updates) from the fake repository do not have any signature? In this case, will apt-get still give a warning or will it just perform the update(upgrade) with no warning at all and install those malicious upgrades(updates)?
snip
On my computer now, no signature is the same as a bad one.
Read up about it here: https://help.ubuntu.com/community/SecureApt
This is what apt-get update looks like when you see the error
This is what apt-get upgrade looks likeCode:W: GPG error: http://ftp.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
Code:WARNING: The following packages cannot be authenticated! libglib-perl libgtk2-perl Install these packages without verification [y/N]?
Last edited by jerome1232; November 11th, 2012 at 05:42 AM.
"You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"
"Don't let your mind wander -- it's too little to be let out alone."
Based on my experience when I hadn't gotten the pgp keys for some repositories, the Update Manager will simply fail to install the unsigned updates by default. On the command line you're given the option to allow them to install anyway, but it gives you a pretty clear warning.
Hello, It is still not clear to me what happens when the faked repository tries to give malicious updates(upgrades) to my computer and those updates(upgrades) have no signature. In this case, will apt-get give the same warning it gives when it finds malicious updates(upgrades) which have a signature different from the signatures on packages in the genuine repository?
Yes, no signature is the same as a bad signature as far as apt-get is concerned.
That's actually usually the situation that arises because either the developer forgot to sign his packages or someone added a ppa and forgot to add the public key so apt-get can check the packages.
"You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"
"Don't let your mind wander -- it's too little to be let out alone."
Thank You all for your help. Cheers!!!!
Actually, just one more thing. From the posts in this thread, what I understand is that I can't end up installing malicious updates(upgrades) from a fake repository(for example in the scenario I mentioned in my first post) without apt-get issuing me warnings. Is that right?
Last edited by jsvidyad; November 11th, 2012 at 06:19 AM.
Sorry. Just hoping someone would reply.
Can someone please help me here.
Wait at least 24 hours before bumping your own thread, it's considered rude to bump it so quickly, could you imagine what this forum would be like if everybody did that?
Yes, apt-get checks packages to make sure they are signed by the private key, so long as the private key is kept just that, private, you can be sure it's the correct package from the person you expect it from.
"You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"
"Don't let your mind wander -- it's too little to be let out alone."
Bookmarks