Secure way to get software

I recently move from Ubuntu to Fedora, and try to understand what is the right way to receive the packages.

In Ubuntu DEB packages are not signed, and you have to trust the source. This means that you have to be strick and check the repository before add it to you repository list. If one of repositories that are one your list is compromised you security can be broken. There are a few official repositories, and i add only i few very very famous that I can “trust”. That way you can be “pretty” sure that you are system is secure(to 99%).

When I installed fedora I had to add RPM Fusion free and non-free to install drivers. Now I have a repository list that is much longer in compare to Ubuntu, and it will take much longer to double check each of that URLs. I know that RPMs are signed. But what is the right way to be should you are not installing malicious software on you system.

All the rpms from the ‘official’ and ‘rpmfusion’ repos are gpg signed as are some others.

Using dnf the system checks the signature against the approved signing keys that are on your machine and verifies they are valid from that repo before processing them.

Using 3rd party repos might bypass this check, but you should be able to trust anything from the ‘official’ repos when using gnome-software or dnf to do the installation or upgrades.


Who told you that? They are signed and the signatures are checked on debian and ubuntu.

Also all the meta data is signed to prevent supply chain attack situations.

how i can check if the repositories installed on my system are ‘official’?

How to check the signature of the downloaded deb?

Every repo that is installed/enabled when doing a new install is considered ‘official’.
If the user has not modified those then that is all the verification needed.

This is true regardless of using Fedora, Ubuntu, Debian, etc.

Paranoia leads to ‘Analysis Paralysis’.

The package manager does that. apt, apt-get, dnf, etc.

1 Like

apt / apt-get does this for you.

There is a way to turn of signature checks, but that only really a thing a developer might do to their own private repos.

@sash17 debs and rpms use GPG for signatures. You can validate the GPG key on your system using the directions from the community/vendor. Ubuntu’s directions are here and Fedora’s are here. There are ways for you to disable verification of repositories, for example on a system that uses dnf like Fedora, you can always check that with sudo dnf config-manager --dump | grep "^gpgcheck"