Product SiteDocumentation Site

6.5. 檢查套件真偽

Falcot 公司的管理極重視安全。因此,他們祗安裝 Debian 保證無竄改的套件。電腦怪客可能在合法的套件巾加入若干惡意程式碼。若安裝了這種套件,就會執行怪客要它做的事,包括洩露密碼或隱私資訊。為避過這個風險,Debian 有個機制在安裝時避過此纂改的風險,祗安裝來自官方維護者的套件且未經第三方修改。
以一連串的密碼學雜湊與簽章構成密封的作品。簽章檔案是由 Debian 鏡射站提供的 釋出 檔案。包括 套件 檔案清單 (包括壓縮格式的 套件名稱.gz套件名稱.xz,以及增量版),與它們的 MD5、SHA1 與 SHA256 雜湊,確保檔案不曾被篡改。這些 套件 檔案包括鏡射站提供的 Debian 套件清單,以及其雜湊,足以保證套件內容不曾被篡改。
可信任的鑰匙由 apt-key 命令管理,置於 apt 套件內。此程式維護 GnuPG 公鑰的鑰匙圈,用於確認來自鏡射站 Release.gpg 檔案的簽名檔。可用於人工新增鑰匙 (使用非官方的鏡射站時)。然而,祗有官方的 Debian 鑰匙才需要它。經由 debian-archive-keyring 套件 (把對應的鑰匙圈置於 /etc/apt/trusted.gpg.d) 自動保持這些鑰匙的最新狀態。然而,第一個安裝此套件的人要小心:即使被另個人簽署,此簽署不能被外部確認。謹慎的管理者應在安裝新套件前,檢查匯入鑰匙的指紋,然後才能相信它:
# apt-key fingerprint
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
----------------------------------------------------------
pub   4096R/2B90D010 2014-11-21 [expires: 2022-11-19]
      Key fingerprint = 126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010
uid                  Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-------------------------------------------------------------------
pub   4096R/C857C906 2014-11-21 [expires: 2022-11-19]
      Key fingerprint = D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid                  Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-------------------------------------------------------
pub   4096R/518E17E1 2013-08-17 [expires: 2021-08-15]
      Key fingerprint = 75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1
uid                  Jessie Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
-----------------------------------------------------------
pub   4096R/473041FA 2010-08-27 [expires: 2018-03-05]
      Key fingerprint = 9FED 2BCB DCD2 9CDF 7626  78CB AED4 B06F 4730 41FA
uid                  Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
--------------------------------------------------------
pub   4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
      Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033  800E 6448 1591 B983 21F9
uid                  Squeeze Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
----------------------------------------------------------
pub   4096R/46925553 2012-04-27 [expires: 2020-04-25]
      Key fingerprint = A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553
uid                  Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
-------------------------------------------------------
pub   4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
      Key fingerprint = ED6D 6527 1AAC F0FF 15D1  2303 6FB2 A1C2 65FF B764
uid                  Wheezy Stable Release Key <debian-release@lists.debian.org>
適當的鑰納入鑰匙圈後,APT 將檢查簽章後才會執行任何危險的操作,若要求安裝的套件其認證不明確時,前端將出現警示訊息。