How trustworthy is `sudo apt-get install (package name)` in Ubuntu?

As with many well-designed systems, the package system of Debian has defense in depth: multiple layers, each of which can be verified.

  • How do we trust the package file is what the system promises? The hash value is computed and compared against the stored value.

  • How do we trust the hash value isn't accidentally matching some other file? Multiple hash algorithms are used, and only if all those match the stored values do we trust the content actually matches.

  • How do we trust the stored values are meant for the package file we downloaded? The hash values are downloaded in a separate file (the various Packages.* files) pre-computed automatically by the archive system.

  • How do we trust the downloaded Packages.* files are what is promised by the system? The hash value for each file is stored in a single Release file for the whole archive.

  • How do we trust that the Release file is what is promised by the system? The cryptographic signature is computed, and compared against the separately-downloaded pre-computed signature from the archive.

  • How do we trust the signatures stored in the archive are actually from the archive we expected? It is certified by an archive key which we can fetch independently from a separate URL, and is installed in the initial set-up of the operating system.

And so on. At some point in the chain you have to trust some part of (and party in) the system, on less-than-ideal evidence.

With the above layers, the low-evidence trust window can be kept small and easily-scrutinised. The one-way hashes, and cryptographic signatures, allow us to trust the mathematics to certify what follows in sequence.

The Debian wiki has a good, comprehensive description of how the APT system is secured.

Of course, many other things can go wrong by mistake or malice, and violate our assumptions about what is actually happening. As usual, the only persistent defense against possible attacks is: eternal vigilance.

apt-get has a list of trusted gpg-keys. apt-get install downloads the packages from repository (mirror) servers, normally not the server of the author of the software. To ensure authenticity each package is signed with gpg. The package is only installed if the signature is trusted. So even in the case of a MITM-attack the signature-check will fail if the package is modified.