Discusses an update to apt authentication for CD-ROMs to enhance security on install and make it impossible to create "poisoned" fake Ubuntu CDs that hurt users.


Currently, customizing an install CD requires recreating the signature for the Packages file and re-signing it. This further involves modifying the ubuntu-keyring package, which is awkward for people doing simple customizations. We should make this process less painful, probably by adjusting apt's rules for CD-ROM authentication.

Scope and Use Cases

Because customization should be easy, the current authentication scheme should be re-examined. In many cases, it is safe to assume that we trust the CD-ROM, because the CD-ROM is the top of the trust-chain. If a system is installed by booting from the CD-ROM, we trust the CD (because we use it to install) long before the signature of the CD-ROM is checked by the installer.

The only cases where the security is weakened is when a system is upgraded using a CD-ROM. Signed md5sums of the Ubuntu CD images are provided at and MD5SUMS.gpg so the user can still verify that his system is ok.

A possible attack scenario would be that the user gets a CD (by hand from someone evil or by downloading from a evil site) with rogue packages on it that looks like a Ubuntu CD. If the user does not check the md5sums himself rogue packages could be installed on his system without warnings (update-notifier will make this easy by prompting for upgrade when a new CD is inserted).

Implementation Plan

Apt needs to be modified so that it takes the location of the package into account and trusts CD-ROM packages automatically.

Packages Affected

The apt package needs to be modified, in particular the libapt library. After that, all higher level package management tools will automatically work.

Outstanding Issues

No work in this area has been done yet.

UDU BOF Agenda

UDU Pre-Work

CategoryUdu CategorySpec

UbuntuDownUnder/BOFs/CDRomAuthentication (last edited 2008-08-06 16:27:16 by localhost)