| Jeff Abrahamson on 24 Jan 2006 14:38:26 -0000 |
|
On Mon, Jan 23, 2006 at 05:43:08PM -0500, sean finney wrote:
> [39 lines, 271 words, 1579 characters] Top characters: etainroh
>
> hey jeff,
>
> On Mon, Jan 23, 2006 at 04:32:57PM -0500, Jeff Abrahamson wrote:
> > I want to check that I've understood this correctly from reading
> > debian docs. The new version of apt pays attention to gpg signatures,
> > but debs are not currently being signed. It's recommended, then, that
> > I ignore this error on "apt-get install":
>
> the debs are not signed[1], but this isn't what apt is checking.
> apt performs it's verification via the Release file, which is signed
> with the debian archive signing key. the Release file contians a list
> of Packages and Sources files and their sizes/md5sums. these files
> then in turn carry the md5sums of the binary and source packages. so,
> if the size/md5sum on the package matches the entry in Packages, and
> the md5sum of Packages matches what's in Release, and the signature of
> Release is good, then apt is happy.
Ah, I see. I was confused on that. Thanks.
> of course, apt has to know about the archive signing key in
> the first place, which is what i think your problem is.
>
> > Install these packages without verification [y/N]? y
>
> what's the output of apt-key list?
astra:/home/jeff# apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024R/1DB114E0 2004-01-15 [expired: 2005-01-27]
uid Debian Archive Automatic Signing Key (2004) <ftpmaster@debian.org>
pub 1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]
uid Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>
pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>
astra:/home/jeff#
Note that I imported the key Steve Gran suggested, but I do still get
errors. For example,
astra:/home/jeff# apt-get install apt-file
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
libconfigfile-perl
The following NEW packages will be installed:
apt-file libconfigfile-perl
0 upgraded, 2 newly installed, 0 to remove and 512 not upgraded.
Need to get 18.2kB of archives.
After unpacking 111kB of additional disk space will be used.
Do you want to continue [Y/n]?
WARNING: The following packages cannot be authenticated!
libconfigfile-perl apt-file
Install these packages without verification [y/N]?
E: Some packages could not be authenticated
astra:/home/jeff#
So I'm still somewhat confused.
> > I want to be very careful about this, because it's initially difficult
> > to differentiate a bad signature from a broken secure apt.
>
> if the signature is bad, you'll get a seperate error i believe. if
> there's no signature, or if the signature is not in your trusted
> keyring, you'll get a message like the above.
--
Jeff
Jeff Abrahamson <http://www.purple.com/jeff/> +1 215/837-2287
GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B
Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|