CoursesLinux essentialsNetworking & packages

Packages & signed repos

apt/dnf, GPG-signed repos, updates.

Beginner12 min · lesson 24 of 25

Software gets onto a Linux system through a package manager, which installs programs and, crucially, tracks their dependencies and updates. Debian/Ubuntu use apt (packages are .deb); RHEL/Fedora use dnf (packages are .rpm). The package manager is not just a convenience — it is a security boundary, because it fetches software from repositories and, done right, cryptographically verifies that what it installs really came from the trusted source and was not tampered with in transit.

HOW A SIGNED PACKAGE IS TRUSTED
1apt / dnf install
fetch package + signature from the repo
2GPG verify
check signature against trusted keys
3Signed by trusted key?
genuine publisher, untampered
4Install or reject
modified or impostor-mirror package is rejected
The package manager installs only what a trusted publisher signed — an OS-level supply-chain boundary.
terminal
# Debian/Ubuntu (apt) # RHEL/Fedora (dnf)
$ sudo apt update $ sudo dnf check-update
$ sudo apt upgrade $ sudo dnf upgrade
$ sudo apt install nginx $ sudo dnf install nginx
$ apt list --installed | wc -l $ dnf list installed | wc -l
$ dpkg -S /usr/bin/ssh $ rpm -qf /usr/bin/ssh # which package owns a file?

Signed repositories: trusting your software supply

Repositories are signed with GPG keys, and the package manager verifies every package’s signature against the trusted keys before installing — so a package that was modified, or served by an impostor mirror, is rejected. This is the OS-level version of the supply-chain trust the CI/CD track covers: you install only what a trusted publisher signed. Adding a third-party repository means adding trust in its signing key, so do it deliberately and only for sources you actually trust.

Patching is a security control

Most real-world breaches exploit known vulnerabilities that a patch already existed for — so keeping packages updated is one of the highest-impact security activities there is, not mere housekeeping. Apply security updates promptly, and consider enabling automatic security updates (unattended-upgrades on Debian/Ubuntu, dnf-automatic on Fedora/RHEL) so critical fixes land without waiting for a human. An unpatched, internet-facing service is the single most common way hosts get compromised.

terminal
# turn on automatic security patching (Debian/Ubuntu)
$ sudo apt install unattended-upgrades
$ sudo dpkg-reconfigure -plow unattended-upgrades
# check what would be upgraded and why:
$ apt list --upgradable
Never disable signature checks or "curl | sudo bash" blindly
Two habits cause supply-chain compromises on Linux hosts: disabling GPG verification (or adding an untrusted repo/key) so the package manager will install anything, and the ubiquitous curl https://... | sudo bash install one-liner, which runs arbitrary remote code as root with zero verification. Prefer signed packages from trusted repos, read a script before piping it to a shell, and treat the integrity of what you install as seriously as the integrity of what you write.