Product SiteDocumentation Site

6.5. 检查软件包真伪

Falcot 公司的管理极重视安全。因此,他们只安装 Debian 保证无窜改的软件包。电脑怪客可能在合法的软件包巾加入若干恶意代码。若安装了这种软件包,就会运行怪客要它做的事,包括泄露密码或隐私信息。为避过这个风险,Debian 有个机制在安装时避过此纂改的风险,只安装来自官方维护者的软件包且未经第三方修改。
以一连串的密码学哈希与签章构成密封的作品。签章文件是由 Debian 镜射站提供的 发布 文件。包括 软件包 文件清单 (包括压缩格式的 软件包名称.gz软件包名称.xz,以及增量版),与它们的 MD5、SHA1 与 SHA256 哈希,确保文件不曾被篡改。这些 软件包 文件包括镜射站提供的 Debian 软件包清单,以及其哈希,足以保证软件包内容不曾被篡改。
可信任的钥匙由 apt-key 命令管理,置于 apt 软件包内。此程序维护 GnuPG 公钥的钥匙圈,用于确认来自镜射站 Release.gpg 文件的签名档。可用于人工添加钥匙 (使用非官方的镜射站时)。然而,只有官方的 Debian 钥匙才需要它。经由 debian-archive-keyring 软件包 (把对应的钥匙圈置于 /etc/apt/trusted.gpg.d) 自动保持这些钥匙的最新状态。然而,第一个安装此软件包的人要小心:即使被另个人签署,此签署不能被外部确认。谨慎的管理者应在安装新软件包前,检查导入钥匙的指纹,然后才能相信它:
# apt-key fingerprint
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
----------------------------------------------------------
pub   4096R/2B90D010 2014-11-21 [expires: 2022-11-19]
      Key fingerprint = 126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010
uid                  Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-------------------------------------------------------------------
pub   4096R/C857C906 2014-11-21 [expires: 2022-11-19]
      Key fingerprint = D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid                  Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-------------------------------------------------------
pub   4096R/518E17E1 2013-08-17 [expires: 2021-08-15]
      Key fingerprint = 75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1
uid                  Jessie Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
-----------------------------------------------------------
pub   4096R/473041FA 2010-08-27 [expires: 2018-03-05]
      Key fingerprint = 9FED 2BCB DCD2 9CDF 7626  78CB AED4 B06F 4730 41FA
uid                  Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
--------------------------------------------------------
pub   4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
      Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033  800E 6448 1591 B983 21F9
uid                  Squeeze Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
----------------------------------------------------------
pub   4096R/46925553 2012-04-27 [expires: 2020-04-25]
      Key fingerprint = A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553
uid                  Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
-------------------------------------------------------
pub   4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
      Key fingerprint = ED6D 6527 1AAC F0FF 15D1  2303 6FB2 A1C2 65FF B764
uid                  Wheezy Stable Release Key <debian-release@lists.debian.org>
适当的钥纳入钥匙圈后,APT 将检查签章后才会运行任何危险的操作,若要求安装的软件包其认证不明确时,前端将出现警示消息。