Re: signatures for debs installed manually
Celejar <celejar@gmail.com> writes:
> On Tue, 8 Sep 2009 12:01:09 +1000
> Morgan Storey <me@morganstorey.com> wrote:
>
>> Hi Celejar,
>>
>> You can get him to PGP/GPG sign the package, then just verify it with
>> his public key, or simply mdsum and sha1sum the package. There are MD5
>> collisions so someone could make a package of the same size with the
>> same md5 hash that contains different malicious code but for your
>> needs it should be enough.
>> Obviously the safest out of all of these is the PGP/GPG but the MD5
>> and sha1 are easier to implement. In this case below I don't know the
>> procedures but the developer will probably have a GPG key that he can
>> sign the package with, then just get his public key of a key server
>> and verify.
>
> Thanks. I know that there are ways to do this, but I was wondering if
> the developer needs to be asked in each case, or if there's some sort
> of standard procedure that is followed.
>
> Celejar
There is a tool for this called dpkg-sig. But signed debs are not
accepted by the Debian archive so that is rarely used.
Maybe a better alternative would be to just create an apt repository.
Last, and most work for you, you can fetch the source, assuming the
dsc file is signed, and build your own package.
MfG
Goswin
Reply to: