sean finney on 23 Jan 2006 22:43:33 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] secure apt

hey jeff,

On Mon, Jan 23, 2006 at 04:32:57PM -0500, Jeff Abrahamson wrote:
> I want to check that I've understood this correctly from reading
> debian docs.  The new version of apt pays attention to gpg signatures,
> but debs are not currently being signed.  It's recommended, then, that
> I ignore this error on "apt-get install":

the debs are not signed[1], but this isn't what apt is checking.
apt performs it's verification via the Release file, which is signed
with the debian archive signing key.  the Release file contians a list
of Packages and Sources files and their sizes/md5sums.  these files
then in turn carry the md5sums of the binary and source packages.  so,
if the size/md5sum on the package matches the entry in Packages, and
the md5sum of Packages matches what's in Release, and the signature of
Release is good, then apt is happy.

of course, apt has to know about the archive signing key in
the first place, which is what i think your problem is.

>     Install these packages without verification [y/N]? y

what's the output of apt-key list?

> I want to be very careful about this, because it's initially difficult
> to differentiate a bad signature from a broken secure apt.

if the signature is bad, you'll get a seperate error i believe.  if
there's no signature, or if the signature is not in your trusted
keyring, you'll get a message like the above.


[1] there is a seperate vector of effort in debian to do directly signed
    debs as well (dpkg-sigs/debsigs) but the current method with Release
    seems to be more popular/practical.

Attachment: signature.asc
Description: Digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --