RE: How to verify package integrity after they have been downloaded?
Files modified after download -> that said the system is compromise.
In this case, the detection is very hard because you want signing with the compromise operating system.
-- Julien
On Sun, Apr 6, 2008, Bernd Eckenfels <ecki@lina.inka.de> wrote:
> In article <[🔎] c7b40f9d0804051420x54657717v67397a33e0d4651d@mail.gmail.com> you wrote:
> > I trust the archive maintainers and have a secure way to get a copy of
> > their public key. I don't trust individual developers and cannot have
> > all of their keys securely distributed to me.
>
> Yes, you would have to sign the packages with your own key after verifying
> the release file.
If you are talking about automating the verification process, that
wouldn't quite work. The system that downloads the packages might have
been compromised. The files that I would sign on that system might
have been already modified at the time when I sign them.
So I don't see how signing the packages with my own key could help
here. Am I missing something?
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: