Ubuntu Update Verification: Are They Secure?

TL;DR

Yes, Ubuntu updates are digitally signed to ensure they haven’t been tampered with during download and installation. This protects you from malicious software being installed as a legitimate update. Here’s how it works and how to check.

How Ubuntu Update Signing Works

Ubuntu uses a system called APT (Advanced Package Tool) which verifies updates using cryptographic signatures. These signatures are created by Canonical, the company behind Ubuntu, using private keys. Your computer then checks these signatures against public keys that it trusts.

Checking Update Signatures – Step-by-Step

1. Understand the Keyring: The trusted public keys are stored in a keyring. This is like a list of ‘official’ signers your computer recognises.
2. List Trusted Keys: You can see which keys APT trusts using this command:

   sudo apt-key list

   This will show you the key IDs and associated information for each trusted key.

3. Verify Release File Signatures: The main release files (which tell your computer what updates are available) are signed. You can check these manually, though it’s rarely needed:
   • Find the Release file URL for your Ubuntu version. This is usually in /etc/apt/sources.list or files within /etc/apt/sources.list.d/
   • Download the Release file using wget or curl. For example:

     wget http://archive.ubuntu.com/ubuntu/dists/jammy/Release

   • Use GPG (GNU Privacy Guard) to verify the signature. You’ll need the Canonical signing key ID (from step 2):

     gpg --verify Release

4. Automatic Verification: APT automatically handles this verification process during normal updates. When you run

   sudo apt update

   and

   sudo apt upgrade

   , it checks the signatures before installing anything.

5. Check for Key Changes: It’s good practice to occasionally check if the trusted keys have been changed unexpectedly. Look at the output of

   sudo apt-key list

   and compare it with previous outputs (if you’ve saved them). If a key has been altered without your knowledge, investigate immediately.

6. Using `apt-key adv` for Key Management: You can add or remove keys using the

   apt-key adv

   command. For example to fetch and add a new key:

   sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <KEY_ID>

What if Verification Fails?

If APT fails to verify a signature, the update will not be installed. You’ll see an error message indicating the problem. Common causes include:

• Outdated Keyring: Your keyring might need updating. Try

  sudo apt update

  .

• Network Issues: A temporary network problem could prevent APT from checking the signatures.
• Compromised Repository: In rare cases, a repository you’re using may have been compromised. Remove or disable untrusted repositories.