adept manager does not check the signature of the repository

Hello,

has anyone been able to reproduce this bug? I think it is really important.

Kind regards,
Lee

This bug seems reproducible. I think that apt does this control: please try using apt-get. In my opinion, this is an Adept issue that may severe security problems.

Thanks for the report. Can you attach your sources.list file and include step-by-step instructions on how the check is failing?

Try to follow these steps:
1) add the repository http://download.tuxfamily.org/3v1deb feisty eyecandy (packages contained in this repository are signed but I don't have trusted the key for this test)
2) give the command apt-get update or Fetch Updates in Adept
3) try the command sudo apt-get install aquamarine (a package chosen randomly for the test). A warning is shown asking user if he want to continue the installation without verifying the signature. I stop the installation.
4) open Adept and mark aquamarine to install. No warnings are shown and the installation is completed. User can't stop it and doesn't know that he's installing unsigned packages.

Report seems complete. Probably this bug needs test for the previous versions that may have the same issue. I can reproduce it in Hardy and according to reporter, Gutsy is probably affected by this.

Kubuntu Gutsy is affected, yes. Easiest way to reproduce the bug is to delete the Ubuntu repository key and try to install any package. Whereas Synaptic warns about a missing signature with big bold letters, adept quietly disregards the missing signature. This is a grave bug with security implications. There are quite a few scenarios where a user would end up with a malicious package on his/her system:

1) DNS spoofing. The attacker simply spoofs a dns request and archive.ubuntu.com will resolve to ${IP_OF_ATTACKER}, where a pool of crafted packages including a rootkit are. The signature breaks, since the attacker does not possess the archive signing key, but adept ignores it anyway.

2) Mirror cracked. Some mirror gets cracked and the attacker uploads some rootkit to the package pool. Signature breaks, adept quietly ignores and happily installs away.

There are some more scenarios I could think of, but in most cases the signature is there to repel such attacks.

Question: As adept disregards Release.gpg, does it check the MD5 sums in the file Release or Packages{.gz|.bz} ? If not, we may even observe system corruption by incomplete package downloads.

On a side note: Does anyone know if Debian is affected?

Kind regards,
Lee Garrett

Hi,

will this bug be addressed in Hardy? It would be sad if it still was there in the next release.

Kind regards,
Lee

Marking as duplicate of bug 256245. While this bug is older, the other bug already has the Importance set to high, an upstream bug report link, and a milestone set.