Linux packages and their patches are pooled in software hubs called repositories, or repos for short. Of these, those from mainstream Linux distributions can be considered safe and secure thanks to a well-honed system.
Your /etc/apt/sources.list file lists the repositories your system fetches from by default, with notes for each, so take a look, here using the catalogue command to print the file's content to the terminal screen.
Some packages, though, may not be available from official repositories, else take months for updates to trickle through, so we can add extra source locations to our sources.list. The thing to bear in mind is that not every repository is maintained as well as those for the official Linux distributions. Servers can be compromised, as can packages.
From non-mainstream repositories, therefore, as well as for any compressed packages to be compiled from source (where we download the core package files and create the application's installation file from those), it's important to check our downloads.
Verifying genuine software packages
The two most common ways to ensure the integrity and authentication of downloads are MD5 checksums and GnuPG signatures. The latter is the preferred, safer method.
Every package should have a checksum, a signature (a unique number) that matches the package version's corresponding number which is published on the package's download page.
So here's what happens: you download a package, along with its corresponding MD5 key, and then check the MD5 file using the terminal and by editing the command (just correct the path to the file) cat /path/to/someFile.md5. Then you can compare the MD5 sum, which will be printed to your screen, with that from the package's downlad page. Here are a couple of ways to check that:
But, just because the sums match doesn't mean that the package is safe. The checksum duly checks that you get what the server intends to send but, if the machine has been hacked, then not only could the download be malware but the checksum may have been changed as well. So, if you can, verify the checksum from an independent source rather than from the download server itself.
GnuPG cryptographic signatures
We touched on the validation solution, GNU Privacy Guard, in How to Secure Email Clients and Webmail, as a way to secure e-mail. It's worth referring back to that and exercising the links there.
This time, say you want packageX from developer X-Dev. You need three things:
- The digitally-signed package, packageX
- The package's signature file
- A public key from the developer, X-Dev
Let's start with the key. It could be available from the developer's site in which case you'd download it, importing the key to your public keyring:
Alternatively the key is hosted on a keyserver and the developer should provide a reference for us to request the key, in this case 5209A3S6, so we do this:
Then we download the package together with its signature file which we need to match the package to the imported public key:
If the signature match is good, we get a message saying so:
Contrarily, it may also give you a warning:
That's because you've not before used or trusted this package's source by validating the key for future use. Provided you do trust the key source, you can ignore the message.
Still awake? Well done.