LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-18-2015, 12:40 AM   #1
Altiris
Member
 
Registered: Mar 2013
Posts: 554

Rep: Reputation: Disabled
What exactly is the purpose of PGP in packages?


I am actually somewhat embarrassed asking this but what is the purpose of a distro to have a PGP key? For arch I see there is an archlinux-keyring that contains a list of PGP keys from the developers that package software? Same for Slacwkare, there is PGP key. What exactly is the purpose of having this when we have checksum checks? I am sort of confused really. How does PGP offer more protection?
 
Old 10-18-2015, 02:12 AM   #2
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Rep: Reputation: 48
I don't know a lot about PGP, but I do know that PGP is used for authentication, privacy encryption and so on and so forth. Checksums are only used to verify the integrity of a file (or a packet header, etc). They are not protocols, they're just a simple calculation to see that what you've downloaded is the right thing and that it hasn't been altered.
 
1 members found this post helpful.
Old 10-18-2015, 04:36 AM   #3
qlue
Member
 
Registered: Aug 2009
Location: Umzinto, South Africa
Distribution: Crunchbangified Debian 8 (Jessie)
Posts: 747
Blog Entries: 1

Rep: Reputation: 172Reputation: 172
PGP is an asymmetrical encryption system. The packages are signed by the maintainers of the repository using a 'private' key that only they have access to. Your package management system verifies that package using the public key that everyone has access to.

This way only the people maintaining the repository can sign packages. This makes it a lot more difficult for anyone to inject malware into the repository.

For example without signed packages, your ISP or your Government could potentially detect when you're installing or updating your software and swap the legitimate packages out for modified versions. (called a 'man in the middle' attack)
Or a Cracker could replace packages in the repository server itself with modified packages. Probably the easiest way would be to set up a fake mirror of the repos.

All of these type of attacks will fail unless the attacker has the correct signing key.

This is one of the main reasons Linux Distros are generally more resistant to malware than some other operating systems.

Google's play store and Apple's app store are both prone to malware because these companies sell space to third party developers. They also use signing keys, but you can pay to get any junk signed and they won't even ask to see the source code as long as they're getting paid.
 
Old 10-18-2015, 06:49 AM   #4
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,433

Rep: Reputation: 1352Reputation: 1352Reputation: 1352Reputation: 1352Reputation: 1352Reputation: 1352Reputation: 1352Reputation: 1352Reputation: 1352Reputation: 1352
Checksum checks using MD5 are not secure, as it is possible to create an MD5 collision. This is the technique that was used when propagating the Stuxnet worm. http://arstechnica.com/security/2012...-breakthrough/
As a response, more secure signing techniques have been adopted.
 
Old 10-18-2015, 08:46 AM   #5
Altiris
Member
 
Registered: Mar 2013
Posts: 554

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by allend View Post
Checksum checks using MD5 are not secure, as it is possible to create an MD5 collision. This is the technique that was used when propagating the Stuxnet worm. http://arstechnica.com/security/2012...-breakthrough/
As a response, more secure signing techniques have been adopted.
So do distros no longer use checksumming or a combination of both md5checksums and pgp?
 
Old 10-18-2015, 09:16 AM   #6
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,130
Blog Entries: 2

Rep: Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825
Quote:
Originally Posted by Altiris View Post
So do distros no longer use checksumming or a combination of both md5checksums and pgp?
They use both, md5sum to make sure that the package has not been corrupted during the download (md5 checksums are good enough for that) and GPG keys to make sure that the package is signed by a distro developer to prevent attacks from this vector.
 
Old 10-18-2015, 02:32 PM   #7
ubermatrix
LQ Newbie
 
Registered: Oct 2015
Posts: 7

Rep: Reputation: Disabled
When I need a package that is not available in my repositories or a iso image, I always hope the developer's website have the key(s) to insure the authenticity.

For example, awhile back I downloaded the tails iso image, the cryptographic signature and the tails-signing key.

Unfortunately, many use checksums for checking a non-corrupted download or altered package/iso. It's better than nothing.

Last edited by ubermatrix; 10-18-2015 at 02:35 PM.
 
Old 10-19-2015, 04:06 AM   #8
qlue
Member
 
Registered: Aug 2009
Location: Umzinto, South Africa
Distribution: Crunchbangified Debian 8 (Jessie)
Posts: 747
Blog Entries: 1

Rep: Reputation: 172Reputation: 172
Quote:
Originally Posted by ubermatrix View Post
When I need a package that is not available in my repositories or a iso image, I always hope the developer's website have the key(s) to insure the authenticity.
A better approach is to learn to compile from source and download the upstream source of the package you need.

However, if a package you need is not in your distribution's repositories, it may be because it's function is not in line with that distribution's intended uses. There are many niche distros that are specifically tuned to certain types of work. They often have packages not found in the average distro simply because the only people that require them are people doing that one specific type of work.

I usually try to find the closest match from my distro's repository though.
 
Old 10-19-2015, 10:23 AM   #9
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,542
Blog Entries: 23

Rep: Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943
Member response

Hi,

Quote:
Originally Posted by Altiris View Post
I am actually somewhat embarrassed asking this but what is the purpose of a distro to have a PGP key? For arch I see there is an archlinux-keyring that contains a list of PGP keys from the developers that package software? Same for Slacwkare, there is PGP key. What exactly is the purpose of having this when we have checksum checks? I am sort of confused really. How does PGP offer more protection?
Look at: https://en.wikipedia.org/wiki/Pretty_Good_Privacy to get some useful information.
Hope this helps.
Have fun & enjoy!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RPM Pacakages and YUM Packages unable to install in CentOS 6.4(Purpose Training) KishanITIL Linux - Newbie 4 10-20-2014 04:49 PM
How to use pgp nigelc Linux - Newbie 8 08-21-2012 01:13 AM
PGP jokar.mohsen Linux - Security 1 05-06-2012 11:58 AM
[SOLVED] What is the purpose of lib64? How does it serve it's purpose? BMan8577 Linux - Newbie 2 09-20-2011 02:39 PM
Pgp Gins Linux - General 13 08-08-2006 04:29 PM


All times are GMT -5. The time now is 12:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration