Jeff Abrahamson on 24 Jan 2006 14:38:26 -0000 |
On Mon, Jan 23, 2006 at 05:43:08PM -0500, sean finney wrote: > [39 lines, 271 words, 1579 characters] Top characters: etainroh > > hey jeff, > > On Mon, Jan 23, 2006 at 04:32:57PM -0500, Jeff Abrahamson wrote: > > I want to check that I've understood this correctly from reading > > debian docs. The new version of apt pays attention to gpg signatures, > > but debs are not currently being signed. It's recommended, then, that > > I ignore this error on "apt-get install": > > the debs are not signed[1], but this isn't what apt is checking. > apt performs it's verification via the Release file, which is signed > with the debian archive signing key. the Release file contians a list > of Packages and Sources files and their sizes/md5sums. these files > then in turn carry the md5sums of the binary and source packages. so, > if the size/md5sum on the package matches the entry in Packages, and > the md5sum of Packages matches what's in Release, and the signature of > Release is good, then apt is happy. Ah, I see. I was confused on that. Thanks. > of course, apt has to know about the archive signing key in > the first place, which is what i think your problem is. > > > Install these packages without verification [y/N]? y > > what's the output of apt-key list? astra:/home/jeff# apt-key list /etc/apt/trusted.gpg -------------------- pub 1024R/1DB114E0 2004-01-15 [expired: 2005-01-27] uid Debian Archive Automatic Signing Key (2004) <ftpmaster@debian.org> pub 1024D/4F368D5D 2005-01-31 [expires: 2006-01-31] uid Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org> pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07] uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org> astra:/home/jeff# Note that I imported the key Steve Gran suggested, but I do still get errors. For example, astra:/home/jeff# apt-get install apt-file Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: libconfigfile-perl The following NEW packages will be installed: apt-file libconfigfile-perl 0 upgraded, 2 newly installed, 0 to remove and 512 not upgraded. Need to get 18.2kB of archives. After unpacking 111kB of additional disk space will be used. Do you want to continue [Y/n]? WARNING: The following packages cannot be authenticated! libconfigfile-perl apt-file Install these packages without verification [y/N]? E: Some packages could not be authenticated astra:/home/jeff# So I'm still somewhat confused. > > I want to be very careful about this, because it's initially difficult > > to differentiate a bad signature from a broken secure apt. > > if the signature is bad, you'll get a seperate error i believe. if > there's no signature, or if the signature is not in your trusted > keyring, you'll get a message like the above. -- Jeff Jeff Abrahamson <http://www.purple.com/jeff/> +1 215/837-2287 GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|