Sorry if this has been brought up before. If there's a prior discussion anyone can point me to, I'd really appreciate it.
I am trying to set up a Debian 10 based server to host a web app that's visible to the public. Putting some time into finding out best practices in this situation, I came across the Center for Internet Security (CIS) document (CIS_Debian_Linux_10_Benchmark_v1.0.0.pdf) that on page 75, perhaps suggest that apt is not configured correctly to verify packages. I say "perhaps" because the wording in the PDF isn't very clear. This lead me to search for more answers online, where I have found an article that suggests that package metadata is verified, but that package contents are not. ( https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/) Again, it's unclear if that article applies to Debian 10, but since my system as "no-debsig" in /etc/dpkg/dpkg.cfg, it seems like it might and therefore my system is not verifying the contents of apt packages and is vulnerable to some sorts of attacks through apt. The closest to an official word on this, that I have been able to find, is this web-page (https://wiki.debian.org/SecureApt) but it's not very understandable to me, and it's not clear how up-to-date it is. There is much talk of Release files, but I don't know where these files are, and so I can't test out the mechanisms described. I do know that if I use "apt download" to download a .deb file, break it apart (using ar and tar), make a change, and put it back together, I can the use "apt install ./X.deb" to install it, even though I haven't updated any security metadata in the .deb file. Removing "no-debsig" in dpkg.cfg doesn't affect the outcome. And finally, it seems that even wikipedia says that package signatures aren't being checked on most systems ( https://en.wikipedia.org/wiki/Deb_%28file_format%29#Signed_packages). I hope someone can help me find some answers on this! thanks, Ramin
