Introductory Background to the question below
(so the question is more usable to more people)
Inside of an Ubuntu/debian-style package (*.deb file) there is a file named
/DEBIAN/md5sums
which has a content of this form:
212ee8d0856605eb4546c3cff6aa6d35 usr/bin/file1
4131b66dc3913fcbf795159df912809f path/to/file2
8c21de23b7c25c9d1a093607fc27656a path/to/file3
c6d010a475366e0644f3bf77d7f922fd path/to/place/of/file4
As I assume this file will be used to check that the files which come with the package have not been corrupted somehow. Since the file is called `/DEBIAN/md5sums" I assume the hexnumber before the path+filename is the MD5 Message-Digest Algorithm Hash of the package's files.
Now everybody interested knows that the MD5 Hash has been broken already long time ago. Therefore it is totally possible to change the content of a file in the package (e.g maliciously) and still have the file having the same MD5-Hash (see for instance Prove of concept "Predicting the winner....").
Question
Bearing in mind the information above I want to know the following:
Assuming I install a package in my Ubuntu system. Is the DEBIAN/md5sums
the only means to make sure the data has not been tampered with?
Answering the question I think it could help to figure out the following:
- Are the deb packages as a whole also hashed(Hashvalues made for) so that there is another way to make safe the files received are "safe"/"untampered"
- If there are other ways then the
DEBIAN/md5sums
file to ensure integrity, what is the file included in the *.deb packages anyhow? - Does Ubuntu use hashes for repository/package-system that are "less broken" than SHA-1 and MD5?
which unfortunately I do not know either.
Any reponse which can shed light on the question (or even only a subquestion) is very welcome
update
(1)
https://help.ubuntu.com/community/Repositories/Ubuntu#Authentication_Tab seems to indicate that there is (as I hoped for) some public/private gpg key going on (to keep the repos and package systems) safe from attacks. The information at the linked location is not very much though. It tells almost nothing about the security aspect of the Package-system. Anyhow I assume the link already indicates that the answer for the question will be "NO -at least the deb packages from the repo - are also secured by .... ". Hope somebody has some insights to use for an answer here.
(2)
This question seems to be also about the topic of "security" in Ubuntu package system. So I just add it here so its ad hand if somebody strives to figure the question out: Why are the proposed BADSIG (on apt-get update) fixes secure?