0

Suppose I have a trusted ISO Ubuntu 18.04 image on a USB stick. I have a brand new notebook and boot it from the USB stick. The notebook is connected through Wi-Fi with an unknown or untrusted internet provider ( suppose I am in a Wi-Fi Caffé), so I cannot trust dynamic DNS I got through DHCP.

AFAIK, when installing and upgrading packages, secure apt is used, so downloaded packages are signed and their signatures are checked by the public keys previously loaded in the ISO image. I conclude that under this situation the installation is secure, regardless of the reliability of the DNS you are using.

Are my assumptions true?

Note:
Although this question has been marked as a duplicate one of Are repository lists secure? Is there an HTTPS version? , it is slightly different because it has to do more with a brand new installation than with upgrading packages of an installed system, and my question is originally concerned with DNS reliability instead of HTTP vs HTTPS protocol.
Nevertheless, as fas as both cases use apt in a secure way, relying on public key infrastructure, the answer for both of them is the same.

muru
  • 197,895
  • 55
  • 485
  • 740
Romualdo Caruso
  • 23
  • Should be. It has the public keys for the apt-repos. As long as you don't install any unsigned packages you should be fine. – RobotHumans Jul 31 '18 at 19:49
  • "my question is originally concerned with DNS reliability instead of HTTP vs HTTPS protocol." In both cases the actual question is about somebody MITM'ing your package management downloads. Both of you just thought at different stages in the attack (to MITM an HTTP server, you're going to need fake DNS results anyway). That is why the answer is the same. – muru Aug 01 '18 at 00:48
  • @muru: Thanks for your answer. Considering the fact that my question has to do also with a brand new installation, to clarify things, it should be splitted in two questions: – Romualdo Caruso Aug 01 '18 at 11:11
  • @RomualdoCaruso brand new, installed in the dark ages, makes no difference here. – muru Aug 01 '18 at 11:13
  • Is apt used during the installation process, using Ubuntu public keys saved previously on the ISO image ? Yes 2) Is apt secure enough against a MITM attack ? Yes ( and this may be the duplicated question ).
    • – Romualdo Caruso Aug 01 '18 at 11:15