This is a great question. The answer is (of course) fairly complex, but let me try and break it down for you. Let's first look at the technical processes:

The Chain of Trust

We don't use SSL to secure APT, we use cryptographic hashes (SHA256, these days) and OpenPGP signatures. This allows you to trust untrusted mirrors, and avoids having to trust the CA PKI.

When you add a repository to APT's sources.list, you also have to add its PGP key to APT's trusted keyring, with the apt-key command. The keyring comes with the keys for Ubuntu's repositories included. And when you use the apt-add-repository command to add a PPA, it adds the key (obtained from Launchpad over SSL) for you.

The chain of trust is:

1. Each sources.list entry points APT to a Release file in the repository, with a Release.gpg signature (or they can be combined as an InRelease file). This file describes the repository, and must be signed by a key in your APT's keyring.


2. The Release file contains cryptographic hashes of all the Packages and Sources files. These list all the packages and versions available in the repository.


3. The Packages and Sources files contain the cryptographic hashes of each package.


4. The packages themselves aren't signed. It's unnecessary, there's a chain of trust to them, from the Release file, signed by the mirror. However, the source packages, used to build the binary packages are PGP signed, by the developer who uploaded them.

You can read more about the repository format on the Debian wiki.

This chain means that we don't have to trust any intermediary mirrors, we can trust that the package we install is identical to the one present when the Release file was signed.

You can inspect APT's keyring by running sudo apt-key finger.

Verifying Ubuntu's Archive Keys

How do you know what should be there? If you don't trust your computer, you can't trust any program on it not to lie to you (such as apt-key), and this exercise is futile. So let's assume this is just out of academic interest, and verify the contents of the keyring from the definitive source package, which is PGP signed by the developer who uploaded it.

Download the ubuntu-keyring source package, and see what should be there:

$ apt-get source ubuntu-keyring

Reading package lists... Done

Building dependency tree       

Reading state information... Done

Need to get 20.0 kB of source archives.

Get:1 http://localhost/ubuntu/ quantal/main ubuntu-keyring 2012.05.19 (dsc) [1542 B]

Get:2 http://localhost/ubuntu/ quantal/main ubuntu-keyring 2012.05.19 (tar) [18.5 kB]

Fetched 20.0 kB in 0s (0 B/s)               

dpkg-source: info: extracting ubuntu-keyring in ubuntu-keyring-2012.05.19

dpkg-source: info: unpacking ubuntu-keyring_2012.05.19.tar.gz

$ gpg --verify ubuntu-keyring_2012.05.19.dsc

gpg: Signature made Sat May 19 03:33:12 2012 SAST

gpg:                using RSA key 0x393587D97D86500B

gpg: Good signature from "Colin Watson <[email protected]>"

gpg:                 aka "Colin Watson <[email protected]>"

gpg:                 aka "Colin Watson <[email protected]>"

gpg:                 aka "Colin Watson <[email protected]>"

$ gpg --no-default-keyring --keyring ubuntu-keyring-2012.05.19/keyrings/ubuntu-archive-keyring.gpg --fingerprint

ubuntu-keyring-2012.05.19/keyrings/ubuntu-archive-keyring.gpg

-------------------------------------------------------------

pub   1024D/0x40976EAF437D05B5 2004-09-12

      Key fingerprint = 6302 39CC 130E 1A7F D81A  27B1 4097 6EAF 437D 05B5

uid                            Ubuntu Archive Automatic Signing Key <[email protected]>

sub   2048g/0x251BEFF479164387 2004-09-12



pub   1024D/0x46181433FBB75451 2004-12-30

      Key fingerprint = C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451

uid                            Ubuntu CD Image Automatic Signing Key <[email protected]>



pub   4096R/0x3B4FE6ACC0B21F32 2012-05-11

      Key fingerprint = 790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32

uid                            Ubuntu Archive Automatic Signing Key (2012) <[email protected]>



pub   4096R/0xD94AA3F0EFE21092 2012-05-11

      Key fingerprint = 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

uid                            Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>

I know that that is actually Colin Watson's signature, as I've met him several times and we've verified each other's identities and signed each other's keys. If you have a key in the PGP strong set, you should be able to find a trust path to him. I also know that I can trust him to upload the correct ubuntu-keyring package.

For Debian, there's a package (debian-keyring) containing the PGP keys of all Debian Developers, and you can use this to verify source package signatures. Ubuntu doesn't have an equivalent, but many Ubuntu Developers are also Debian Developers, and all our developer's PGP keys are available on their profiles in Launchpad.

The other questions

How do I know updates aren't malicious?

It comes down to trust. You have to fully trust every repository you use. You are giving the maintainers of each repository permission to run things as root on your machine.

Ubuntu packages can only be uploaded by Ubuntu Developers who have been granted upload rights by the Developer Membership Board (which I currently serve on). To apply for upload rights you must be advocated by several existing Ubuntu Developers who have worked with you and trust your abilities to work on your own. Without upload rights, uploads have to be sponsored by developers who have the rights (which should include review of the upload).

For post-release updates, Ubuntu has strict policies about the contents of updates. They should only contain minimal patches to fix known bugs. The patches are reviewed by members of the SRU / Security teams before being accepted.

Obviously, PPAs and 3rd party repositories don't have all these restrictions. You have to trust the PPA owners to be sensible.

All Ubuntu & PPA packages have the source available, so they can be inspected by anyone.

Are there configuration options that make the process more or less prudent, and what are their defaults?

You can turn off signature verification in APT, but of course it's on by default. When you try and install something from an unsigned / untrusted repository, apt makes you confirm that you really want to do this.

Are there known attacks, or have there been vulnerabilities recently?

I recall one, Debian bug 499897. Debian gets around this by giving Release files an expiry date, after which they can't be trusted. Ubuntu doesn't support this yet.