Stephen Gran on 23 Jan 2006 22:18:38 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] secure apt

On Mon, Jan 23, 2006 at 04:32:57PM -0500, Jeff Abrahamson said:
> I want to check that I've understood this correctly from reading
> debian docs.  The new version of apt pays attention to gpg signatures,
> but debs are not currently being signed.  It's recommended, then, that
> I ignore this error on "apt-get install":
>     Install these packages without verification [y/N]? y
> or that I modify /etc/apt/apt.conf.d/70debconf to somehow say to
> ignore signatures.

Or make a new file in that directory (apt uses run-parts style config

> I want to be very careful about this, because it's initially difficult
> to differentiate a bad signature from a broken secure apt.
> Thanks much for any input.

The signing is at the archive, rather than package, level.  The problem
is that we have the software part done in apt, but haven't yet gotten
around to figuring out how to do an automatic key update.  Each key is
only good for one year, so this is going to be a recurring problem
unless we can figure it out before next December ;)

In the meantime, you can grab the key here:

And then add it to apt's keyring with:
apt-key add

The key name is always ziyi_key_$year.asc (or at least has been so far)
so scripting this wouldn't be hard.  The hard part, as I understand it,
has been deciding how to verify the key programmatically and decide that
it should be added.
|  Stephen Gran                  | When people say nothing, they don't     |
|             | necessarily mean nothing.               |
| |                                         |

Attachment: signature.asc
Description: Digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --