Ubuntu archive integrity verification¶
Packages in the Ubuntu Archive are distributed over a variety of protocols and from third-party mirrors. The authenticity of packages is decoupled from the distribution method used. This is achieved through cryptographic signatures that are generated on systems independent of the distribution infrastructure. These cryptographic signatures are automatically used by the package manager on Ubuntu installations (APT) to verify the integrity of downloaded software packages.
This architecture has several benefits, including:
providing tampering protection, even in the absence of in-transit security through TLS;
the integrity of the packages can be verified, even when redistributed by third-parties;
the attack surface is greatly reduced, as not even the Ubuntu Archive can distribute malicious software.
The verification scheme is inherited from Debian, which is Ubuntu’s upstream distribution. As such, most of the content in this section is also applicable to Debian installations. The infrastructure for distributing the official Ubuntu Archive, as well as Launchpad are completely independent of the Debian infrastructure.
It should be noted that only trusted repositories should be configured as APT sources. There is no automatic mechanism to establish the trustworthiness of a repository, with well-intentioned and malicious actors alike being able to set up repositories compatible with APT or PPAs on Launchpad.
Automatic verification¶
Any frontend to APT will automatically apply the same validation rules,
including apt
, apt-get
, aptitude
or any of the Ubuntu graphical
applications. The behaviour can be managed through APT configuration and its sources.
Insecure settings¶
There are a number of APT configuration settings which are not recommended, as
they disable the verification checks described in this section. These can be
configured in /etc/apt/apt.conf
(or the file specified in
Dir::Etc::main
), /etc/apt/apt.conf.d/
(or the path specified in
Dir::Etc::Parts
), the file specified by the APT_CONFIG
environment
variable, or directly passed on the command-line to a package manager.
Particular attention should be payed to the following settings (these should only be considered acceptable in particular environments, once their implications are understood):
The
Trusted
option for an APT sources entry, if set toyes
, as verification checks will be disabled.APT::Get::AllowUnauthenticated
, if set toyes
.Acquire::AllowInsecureRepositories
, if set toyes
.Acquire::AllowDowngradeToInsecureRepositories
, if set toyes
.
Trust anchor¶
Unless verification is disabled, each configured APT source is validated against
a trust anchor, configured as a GPG keyring. A global trusted keyring is used as
a fallback and can be managed through apt-key
, but this functionality has
been deprecated since Ubuntu 22.04 Jammy Jellyfish. The recommendation is to
only configure the Ubuntu Archive trust anchor in the global trusted keyring,
with other repositories referencing individual keyrings stored in
/etc/apt/keyrings/
(when configured by the system administrator) or
/usr/share/keyrings/
(when configured by a package) through the sources configuration.
An alternative is to embed the trust anchor in the sources configuration, as the
following example demonstrates for a hypothetical PPA:
Types: deb
URIs: https://ppa.launchpadcontent.net/ubuntu-security/demo/ubuntu/
Suites: noble
Components: main
Signed-By:
-----BEGIN PGP PUBLIC KEY BLOCK-----
.
mQINBGbXMpEBEADdAP7i2KzwrStkf3qh64HZTeq2XbhhEIXbNLGn4sZDMtK1cHiH
...
A configured repository that does not reference a trust anchor through the
Signed-By
option will use the global trusted keyring. The global trusted
keyring is bootstrapped by the ubuntu-keyring
package, which is installed by
default and creates GPG keyrings containing the Ubuntu Archive signing public
keys under the /etc/apt/trusted.gpg.d/
directory.