1 files changed, 272 insertions, 0 deletions

diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml
new file mode 100644
index 0000000..e334df9
--- /dev/null
+++ b/doc/apt-secure.8.xml
@@ -0,0 +1,272 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % aptent SYSTEM "apt.ent"> %aptent;
+<!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment;
+<!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor;
+]>
+
+<refentry>
+ <refentryinfo>
+   &apt-author.jgunthorpe;
+   &apt-author.team;
+   &apt-email;
+   &apt-product;
+   <!-- The last update date -->
+   <date>2016-08-06T00:00:00Z</date>
+ </refentryinfo>
+
+ <refmeta>
+   <refentrytitle>apt-secure</refentrytitle>
+   <manvolnum>8</manvolnum>
+   <refmiscinfo class="manual">APT</refmiscinfo>
+ </refmeta>
+
+<!-- NOTE: This manpage has been written based on the
+     Securing Debian Manual ("Debian Security
+     Infrastructure" chapter) and on documentation
+     available at the following sites:
+     http://wiki.debian.net/?apt06
+     http://www.syntaxpolice.org/apt-secure/
+     http://www.enyo.de/fw/software/apt-secure/
+-->
+<!-- TODO: write a more verbose example of how it works with 
+     a sample similar to 
+     http://www.debian-administration.org/articles/174
+     ?
+--> 
+
+ 
+ <!-- Man page title -->
+ <refnamediv>
+    <refname>apt-secure</refname>
+    <refpurpose>Archive authentication support for APT</refpurpose>
+ </refnamediv>
+
+ <refsect1><title>Description</title>
+   <para>
+   Starting with version 0.6, <command>APT</command> contains code that does
+   signature checking of the Release file for all repositories. This ensures
+   that data like packages in the archive can't be modified by people who
+   have no access to the Release file signing key. Starting with version 1.1
+   <command>APT</command> requires repositories to provide recent authentication
+   information for unimpeded usage of the repository. Since version 1.5 changes
+   in the information contained in the Release file about the repository need to be
+   confirmed before APT continues to apply updates from this repository.
+   </para>
+
+   <para>
+   Note: All APT-based package management front-ends like &apt-get;, &aptitude;
+   and &synaptic; support this authentication feature, so this manpage uses
+   <literal>APT</literal> to refer to them all for simplicity only.
+   </para>
+</refsect1>
+
+ <refsect1><title>Unsigned Repositories</title>
+   <para>
+   If an archive has an unsigned Release file or no Release file at all
+   current APT versions will refuse to download data from them by default
+   in <command>update</command> operations and even if forced to download
+   front-ends like &apt-get; will require explicit confirmation if an
+   installation request includes a package from such an unauthenticated
+   archive.
+   </para>
+
+   <para>
+   You can force all APT clients to raise only warnings by setting the
+   configuration option <option>Acquire::AllowInsecureRepositories</option> to
+   <literal>true</literal>. Individual repositories can also be allowed to be insecure
+   via the &sources-list; option <literal>allow-insecure=yes</literal>.
+   Note that insecure repositories are strongly discouraged and all options
+   to force apt to continue supporting them will eventually be removed.
+   Users also have the <option>Trusted</option> option available to disable
+   even the warnings, but be sure to understand the implications as detailed in
+   &sources-list;.
+   </para>
+
+   <para>
+   A repository which previously was authenticated but would loose this state in
+   an <command>update</command> operation raises an error in all APT clients
+   irrespective of the option to allow or forbid usage of insecure repositories.
+   The error can be overcome by additionally setting
+   <option>Acquire::AllowDowngradeToInsecureRepositories</option>
+   to <literal>true</literal> or for Individual repositories with the &sources-list;
+   option <literal>allow-downgrade-to-insecure=yes</literal>.
+   </para>
+</refsect1>
+
+ <refsect1><title>Signed Repositories</title>
+   <para>
+   The chain of trust from an APT archive to the end user is made up of
+   several steps. <command>apt-secure</command> is the last step in
+   this chain; trusting an archive does not mean that you trust its
+   packages not to contain malicious code, but means that you
+   trust the archive maintainer. It's the archive maintainer's
+   responsibility to ensure that the archive's integrity is preserved.
+   </para>
+
+   <para>apt-secure does not review signatures at a
+   package level. If you require tools to do this you should look at
+   <command>debsig-verify</command> and
+   <command>debsign</command> (provided in the debsig-verify and
+   devscripts packages respectively).</para>
+
+   <para>
+   The chain of trust in Debian starts (e.g.) when a maintainer uploads a new
+   package or a new version of a package to the Debian archive. In
+   order to become effective, this upload needs to be signed by a key
+   contained in one of the Debian package maintainer keyrings (available in
+   the debian-keyring package). Maintainers' keys are signed by
+   other maintainers following pre-established procedures to
+   ensure the identity of the key holder. Similar procedures exist in all
+   Debian-based distributions.
+   </para>
+
+   <para>
+   Once the uploaded package is verified and included in the archive,
+   the maintainer signature is stripped off, and checksums of the package
+   are computed and put in the Packages file. The checksums of all of the
+   Packages files are then computed and put into the Release file. The
+   Release file is then signed by the archive key for this &keyring-distro; release,
+   and distributed alongside the packages and the Packages files on
+   &keyring-distro; mirrors. The keys are in the &keyring-distro; archive keyring
+   available in the &keyring-package; package.
+   </para>
+
+   <para>
+   End users can check the signature of the Release file, extract a checksum
+   of a package from it and compare it with the checksum of the package
+   they downloaded by hand - or rely on APT doing this automatically.
+   </para>
+
+   <para>Notice that this is distinct from checking signatures on a
+   per package basis. It is designed to prevent two possible attacks:
+   </para>
+
+    <itemizedlist>
+       <listitem><para><literal>Network "man in the middle"
+       attacks</literal>. Without signature checking, malicious
+       agents can introduce themselves into the package download process and
+       provide malicious software either by controlling a network
+       element (router, switch, etc.) or by redirecting traffic to a
+       rogue server (through ARP or DNS spoofing
+       attacks).</para></listitem>
+ 
+       <listitem><para><literal>Mirror network compromise</literal>.
+        Without signature checking, a malicious agent can compromise a
+        mirror host and modify the files in it to propagate malicious
+        software to all users downloading packages from that
+        host.</para></listitem>
+    </itemizedlist>
+
+   <para>However, it does not defend against a compromise of the
+   master server itself (which signs the packages) or against a
+   compromise of the key used to sign the Release files. In any case,
+   this mechanism can complement a per-package signature.</para>
+</refsect1>
+
+<refsect1><title>Information changes</title>
+   <para>
+   A Release file contains beside the checksums for the files in the repository
+   also general information about the repository like the origin, codename or
+   version number of the release.
+   </para><para>
+   This information is shown in various places so a repository owner should always
+   ensure correctness. Further more user configuration like &apt-preferences;
+   can depend and make use of this information. Since version 1.5 the user must
+   therefore explicitly confirm changes to signal that the user is sufficiently
+   prepared e.g. for the new major release of the distribution shipped in the
+   repository (as e.g. indicated by the codename).
+   </para>
+</refsect1>
+
+<refsect1><title>User Configuration</title>
+   <para>
+   <command>apt-key</command> is the program that manages the list of keys used
+   by APT to trust repositories. It can be used to add or remove keys as well
+   as list the trusted keys. Limiting which key(s) are able to sign which archive
+   is possible via the <option>Signed-By</option> in &sources-list;.
+   </para><para>
+   Note that a default installation already contains all keys to securely
+   acquire packages from the default repositories, so fiddling with
+   <command>apt-key</command> is only needed if third-party repositories are
+   added.
+   </para><para>
+   In order to add a new key you need to first download it
+   (you should make sure you are using a trusted communication channel
+   when retrieving it), add it with <command>apt-key</command> and
+   then run <command>apt-get update</command> so that apt can download
+   and verify the <filename>InRelease</filename> or <filename>Release.gpg</filename>
+   files from the archives you have configured.
+   </para>
+</refsect1>
+
+<refsect1><title>Repository Configuration</title>
+   <para>
+   If you want to provide archive signatures in an archive under your
+   maintenance you have to:
+   </para>
+
+     <itemizedlist>
+       <listitem><para><emphasis>Create a toplevel Release
+       file</emphasis>,  if it does not exist already. You can do this
+       by running <command>apt-ftparchive release</command> 
+       (provided in apt-utils).</para></listitem>
+   
+      <listitem><para><emphasis>Sign it</emphasis>. You can do this by running
+      <command>gpg --clearsign -o InRelease Release</command> and
+      <command>gpg -abs -o Release.gpg Release</command>.</para></listitem>
+
+      <listitem><para>
+      <emphasis>Publish the key fingerprint</emphasis>, so that your users
+      will know what key they need to import in order to authenticate the files
+      in the archive. It is best to ship your key in its own keyring package
+      like &keyring-distro; does with &keyring-package; to be able to
+      distribute updates and key transitions automatically later.
+      </para></listitem>
+
+      <listitem><para>
+      <emphasis>Provide instructions on how to add your archive and key</emphasis>.
+      If your users can't acquire your key securely the chain of trust described above is broken.
+      How you can help users add your key depends on your archive and target audience ranging
+      from having your keyring package included in another archive users already have configured
+      (like the default repositories of their distribution) to leveraging the web of trust.
+      </para></listitem>
+
+    </itemizedlist>
+
+    <para>Whenever the contents of the archive change (new packages
+    are added or removed) the archive maintainer has to follow the
+    first two steps outlined above.</para>
+
+</refsect1>
+
+<refsect1><title>See Also</title> 
+<para> 
+&apt-conf;, &apt-get;, &sources-list;, &apt-key;, &apt-ftparchive;,
+&debsign;, &debsig-verify;, &gpg;
+</para>
+
+<para>For more background information you might want to review the
+<ulink
+url="https://www.debian.org/doc/manuals/securing-debian-howto/ch7">Debian
+Security Infrastructure</ulink> chapter of the Securing Debian Manual
+(also available in the harden-doc package) and the
+<ulink url="http://www.cryptnet.net/fdp/crypto/strong_distro.html"
+>Strong Distribution HOWTO</ulink> by V. Alex Brennen.  </para>
+
+</refsect1>
+
+ &manbugs;
+ &manauthor;
+
+<refsect1><title>Manpage Authors</title> 
+
+<para>This man-page is based on the work of Javier Fernández-Sanguino
+Peña, Isaac Jones, Colin Walters, Florian Weimer and Michael Vogt.
+</para>
+
+</refsect1>
+ 
+
+</refentry>