Ubuntu Updates – How is the Authenticity Verified?


I couldn't find much info on the security of Ubuntu (and Linux in general) update verification/security.

The connection appears to be plain ftp. but the packages are signed using a private key and the corresponding public key is stored in the system as a trusted key.

So what are the details? Is the package itself signed or just the hash? Is it an RSA 4096 bit key? What are the chances of a malicious entity being able to mess with the updates and who owns the private key?

Best Answer

A concept called Secure Apt is used to verify the integrity of packages from Apt package repositories. The key methods are:

  • Package maintainers generate and publish a list of checksums calculated by secure hash functions from their packages (binary and source).

  • They sign that list with their private GPG key.

  • Apt maintains a key ring with public GPG keys of verified package authors and maintainers.

  • Upon package download and installation, Apt verifies

    1. the integrity of the checksum list with respect to the key ring and
    2. the integrity of the software package based on those verified checksums.

For more info visit the Debian Wiki on Secure Apt.