Re: signature check failed

To: debian-user@lists.debian.org
Subject: Re: signature check failed
From: Chris Metzler <cmetzler@speakeasy.net>
Date: Tue, 6 Jul 2004 11:54:56 -0400
Message-id: <[🔎] 20040706115456.7c7624a8@stax>
In-reply-to: <[🔎] 20040706151309.GA29221@affine.xwilbur.com>
References: <[🔎] 20040702152320.GK24409@affine.xwilbur.com> <[🔎] cc45uf$eu6$1@sea.gmane.org> <[🔎] 20040706151309.GA29221@affine.xwilbur.com>

On Tue, 6 Jul 2004 09:13:09 -0600
Richard Wilbur <rwilbur@wilburz.com> wrote:
> 
> When did the policy of releasing normal Debian packages without  
> signatures begin?  Was it before or after the release of "Woody"?

My understanding is that it began when Debian began.  Individual
"official" Debian packages have never been signed.  If you have
an official Woody install CD and it's installed and running
debsigs by default, something screwy is going on.  That didn't
occur for me when I installed Woody from CD, for instance.

> The reason I ask is that it seems unfriendly, at best, to require  
> undocumented reconfiguration of the default install tool for a  
> distribution in order to complete the initial installation.

The default install tool for Debian does not need reconfiguration
in order to complete the initial installation.  The "debsigs"
package does, but that's not part of the standard install toolset.
I don't know why you're encountering it during a Woody install.

> I like the idea of getting a binary package that comes with some  
> assurance of its own integrity.  The package can travel far and wide,  
> as long as it retains the signature of the packager, I have reason to  
> believe it remains unmolested.  Coming from a world of .rpm and .tgz,  
> this seems like an improvement.  Thus I was eager to remedy the  
> situation when the signature check failed and I assumed I must have  
> downloaded some incomplete or tampered package files.

The way this is done with Debian is that, rather than signing the
individual packages, the individual packages are md5sumed, with the
md5sums placed in the "Packages" file that apt-get fetches during
"apt-get update" or located upon the official CDs.  Those "Packages"
files *are* signed, so that it's effectively not possible for an
evildoer to modify the md5sums stored therein.

-c

-- 
Chris Metzler			cmetzler@speakeasy.snip-me.net
		(remove "snip-me." to email)

"As a child I understood how to give; I have forgotten this grace since I
have become civilized." - Chief Luther Standing Bear

Attachment: pgp2rLUZGsS05.pgp
Description: PGP signature

Reply to:

References:
- signature check failed
  - From: Richard Wilbur <richardpublic@wilburz.com>
- Re: signature check failed
  - From: Andreas Janssen <andreas.janssen@bigfoot.com>
- Re: signature check failed
  - From: Richard Wilbur <rwilbur@wilburz.com>

Prev by Date: Re: postfix trusted network
Next by Date: xrandr extensions as normal user
Previous by thread: Re: signature check failed
Next by thread: Re: Custom Debian distro
Index(es):
- Date
- Thread