How is the authenticity of Ubuntu updates verified?

security apt updates ftp pgp

I couldn't find much info on the security of Ubuntu (and Linux in general) update verification/security.

The connection appears to be plain ftp. but the packages are signed using a private key and the corresponding public key is stored in the system as a trusted key.

So what are the details? Is the package itself signed or just the hash? Is it an RSA 4096 bit key? What are the chances of a malicious entity being able to mess with the updates and who owns the private key?


A concept called Secure Apt is used to verify the integrity of packages from Apt package repositories. The key methods are:

  • Package maintainers generate and publish a list of checksums calculated by secure hash functions from their packages (binary and source).

  • They sign that list with their private GPG key.

  • Apt maintains a key ring with public GPG keys of verified package authors and maintainers.

  • Upon package download and installation, Apt verifies

    1. the integrity of the checksum list with respect to the key ring and
    2. the integrity of the software package based on those verified checksums.

For more info visit the Debian Wiki on Secure Apt.

Related

Complete iPhone backup without iTunes?
delete directories recursively on Mac terminal
How do I change or delete the album cover image shown in rhythmbox?
upgrading glibc to a version at least 2.17 or higher in ubuntu 12.04 LTS?
What are the advantages and disadvantages of Apply to Enclosed Items?
Identifying Specs of Used MacBooks
Unable to edit /etc/apt/sources.list file
Ubuntu 18.04 missing wired connections in settings
Saving a apt-get file for future installations, how do I do it? [duplicate]
How to install one GUI program on Ubuntu Server?
Fuzzy text in Unity title bar
Wired Internet doesn't work on ubuntu 12.04