My vague understanding of the authentication mechanisms behind debian/ubuntu packaging tells me that it should be safe to install packages downloaded from an untrusted server or proxy as long as apt is able to verify them without issuing warning messages.
Is this correct?
For example, say I'm trying to connect to the standard ubuntu servers to do security updates (i.e. security.ubuntu.com). To reduce bandwidth consumption, I'm going through a local apt-cacher proxy, but it's possible that someone may have tampered with the packages cached on that proxy server. Or there may even be a transparent apt proxy along the line somewhere. Will I get a warning if the packages are not the correct ones? How does updating my apt cache (sudo aptitude update) affect this?
Best Answer
You might need to consider the following situation when it comes to apt repository security. You will find your answer below.
You are adding an untrusted repository
Since anyone can create a private-public key pair, so just validating the downloaded contents or apt-index with the public key won't solve the problem when the author of the repository and the owner of the key puts malicious software in the repository.
He would create a key pair. Sign the contents with his private key, then upload the contents to the repository and then upload his public key
Then you add the repository, download his public key and then try to check. Apt would verify it without issuing warning messages. You might feel you are secure, but you are not. Are you sure you believe the person who has uploaded the content?
You added a repository which has content uploaded by a person you know
This might seem safe. You know the person's name and see that he has signed the repository contents and also the index. In this case too you are insecure. Anyone can impersonate the name.
In this case you need to verify the public key. You should be knowing that person's public key and should be sure about it. If you know the person and see that the repository needs a different public key for validating the contents then you should not trust that repository.
You should know the Person's name and his public key pair together to validate the authenticity of the repository. If any of them is wrong, don't trust the repository.
This is the reason why geek and hacker circles have key-signing parties where they meet in person, shoe each other valid identity proof and then establish trust
You know the person, have the correct public key, but apt shows warnings
This might be the case when you are trying to add the repository, but your computer is not getting the correct apt URL. This might be the situation where your DNS is not working properly and someone is trying to trick you into adding the wrong repository by DNS cache poisoning.
If you get a apt warning even when you have the correct public key, then ABORT. Don't go forward. This third case is usually very rare and you should not be worried about encountering this situation.
Conclusion
When you want to add a repository and you want to be very sure you are adding the correct repository, you need to know the person who has uploaded the content and should be sure about his public key.
Validate the repository only against his public key and not the one which repository owner asks you to verify against. This is the safest mechanism. As mentioned above, it is NOT safe even if apt doesn't give warnings when adding a repository. The contents might be malicious.
Even if you are using a well known repository and then apt complains, then it means that you are not adding the correct repository. You are NOT SAFE.