I routinely update my system whenever it notifies me of software updates. This is one of those things that I just trust to work without knowing the details, but I have become curious recently: How do I know that
- the process checking for updates will only show legitimate updates?
- the updates I receive and install are not malicious?
I know that I have a set of software sources that I specify myself by URL and that whether I trust those sources is my decision. But what happens once I specified those URLs?
From what is common these days, I would suspect that the authenticity of those sources is verfied with something along the lines of HTTPS / SSL, i. e. I have some certificates that are verified against some authority, meaning, I need reliable root certificates installed somewhere (probably they come with the system).
Further, I guess the packages are cryptographically signed, like with GPG or similar.
Are those assumptions correct? Where can I inspect keys / certificates used? How can I verify if they are the right ones? How can I verify that they are, in fact, used? Are there configuration options that make the process more or less prudent, and what are their defaults? Are there known attacks, or have there been vulnerabilities recently? I seem to remember Windows having a problem like that not long ago.
I'm on 12.04, but I'm assuming that this can be answered more generally.