Ubuntu
apt package

Bug #1649097
Comment #6

Comment 6 for bug 1649097

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2016-12-13:

Vyacheslav, as long as your APT is properly configured, sources downloaded with apt-get source are trusted via the same mechanism used for binary packages.

If you attempt to download modified contents you'll get error messages like this:

$ apt-get source dash
Reading package lists... Done
NOTICE: 'dash' packaging is maintained in the 'Git' version control system at:
http://smarden.org/git/dash.git/
Please use:
git clone http://smarden.org/git/dash.git/
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 299 kB of source archives.
Get:1 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (dsc) [1,882 B]
Get:2 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (tar) [223 kB]
Get:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff) [73.8 kB]
Err:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff)
Hash Sum mismatch
Fetched 299 kB in 0s (10.4 MB/s)
E: Failed to fetch http://mirrors.kernel.org/ubuntu/pool/main/d/dash/dash_0.5.8-2.3ubuntu1.diff.gz Hash Sum mismatch

E: Failed to fetch some archives.

If you want to additionally verify the signature in the .dsc file for whichever developer uploaded the package to the build servers, you can do so:

sarnold@hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc
gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT
gpg: using RSA key BD7EAA60778FA6F5
gpg: Can't check signature: public key not found
sarnold@hunt:/tmp$ gpg --recv-key BD7EAA60778FA6F5
gpg: requesting key BD7EAA60778FA6F5 from hkp server keys.gnupg.net
gpg: key BD7EAA60778FA6F5: public key "Matthias Klose <email address hidden>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 24 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 24 signed: 19 trust: 20-, 0q, 0n, 4m, 0f, 0u
gpg: next trustdb check due at 2016-12-31
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
sarnold@hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc
gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT
gpg: using RSA key BD7EAA60778FA6F5
gpg: Good signature from "Matthias Klose <email address hidden>"
gpg: aka "Matthias Klose <email address hidden>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D565 71B8 8A8B BAF1 40BF 63D6 BD7E AA60 778F A6F5
sarnold@hunt:/tmp$

Thanks

Vyacheslav, as long as your APT is properly configured, sources downloaded with apt-get source are trusted via the same mechanism used for binary packages.

If you attempt to download modified contents you'll get error messages like this:

$ apt-get source dash
Reading package lists... Done
NOTICE: 'dash' packaging is maintained in the 'Git' version control system at:
http://smarden.org/git/dash.git/
Please use:
git clone http://smarden.org/git/dash.git/
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 299 kB of source archives.
Get:1 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (dsc) [1,882 B]
Get:2 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (tar) [223 kB]
Get:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff) [73.8 kB]
Err:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff)
  Hash Sum mismatch
Fetched 299 kB in 0s (10.4 MB/s)
E: Failed to fetch http://mirrors.kernel.org/ubuntu/pool/main/d/dash/dash_0.5.8-2.3ubuntu1.diff.gz  Hash Sum mismatch

E: Failed to fetch some archives.

If you want to additionally verify the signature in the .dsc file for whichever developer uploaded the package to the build servers, you can do so:

sarnold@hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc 
gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT
gpg:                using RSA key BD7EAA60778FA6F5
gpg: Can't check signature: public key not found
sarnold@hunt:/tmp$ gpg --recv-key BD7EAA60778FA6F5
gpg: requesting key BD7EAA60778FA6F5 from hkp server keys.gnupg.net
gpg: key BD7EAA60778FA6F5: public key "Matthias Klose <doko@debian.org>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:  24  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  24  signed:  19  trust: 20-, 0q, 0n, 4m, 0f, 0u
gpg: next trustdb check due at 2016-12-31
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
sarnold@hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc 
gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT
gpg:                using RSA key BD7EAA60778FA6F5
gpg: Good signature from "Matthias Klose <doko@debian.org>"
gpg:                 aka "Matthias Klose <doko@ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D565 71B8 8A8B BAF1 40BF  63D6 BD7E AA60 778F A6F5
sarnold@hunt:/tmp$

Thanks

Ubuntuapt package

Comment 6 for bug 1649097

Ubuntu
apt package