S 4.327 Verification of the integrity and authenticity of the Samba packages and sources
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
After deciding whether Samba will be installed from a source code package or a binary package when planning the use of Samba (see S 2.437 Planning the use of a Samba server), it is necessary to check the authenticity of the packages (see also S 4.177 Assuring the integrity and authenticity of software packages). The source of the software to be installed, as well as the process used to check the integrity of the software must be documented.
1. Installation from a source code package
The Samba developers use digital signatures generated by the GnuPG program to protect the source code packages (see also S 5.63 Use of GnuPG or PGP). The digital signature is always located in a separate file bearing the same name as the package itself, but with the added file extension ".asc". For example, the digital signature of the samba-3.0.28a.tar.gz package is available in the file samba-3.0.28a.tar.asc.
The public key used by the Samba developer to sign the package has the user ID "Samba Distribution Verification Key <samba-bugs@samba.org>". The key generally expires within one to two years. Thereafter, a new key with a new fingerprint is used. The public key can be obtained from the following sources, for example:
- From the web server of the Samba project. The file http://www.samba.org/samba/ftp/samba-pubkey.asc contains the public GPG key used by the Samba developers to sign source code.
- From a key server.
The source code package must be unzipped using the command gzip -d samba-<version>.tar.gz before it can be verified.
2. Installation from binary packages in the distribution
If Samba is installed from the official installation sources of the distribution used using a corresponding package manager (such as yum or rpm, for example), the package manager generally verifies the authenticity and integrity of the packages.
3. Installation from binary packages from other sources
If binary packages are obtained from installation sources that are not part of the distribution used, it must be ensured that the provider of the sources is a trustworthy provider. The subsequent examination of the authenticity of the binary packages proceeds as described in the section "Installation from a source code package" or in the section "Installation from binary packages in the distribution".
Review questions:
- Were authenticity and integrity checks performed on the installation packages?
- Is the origin of the installation packages as well as the integrity check performed properly documented?