Re: verification of packages with gnupg/apt-key

To: Andrei Mikhailovsky <andrei@arhont.com>
Cc: Debian AMD64 <debian-amd64@lists.debian.org>
Subject: Re: verification of packages with gnupg/apt-key
From: lsorense@csclub.uwaterloo.ca (Lennart Sorensen)
Date: Wed, 29 Jun 2005 08:02:11 -0400
Message-id: <[🔎] 20050629120211.GN23488@csclub.uwaterloo.ca>
In-reply-to: <[🔎] 1120045967.7360.13.camel@whale.core.arhont.com>
References: <[🔎] 1120045967.7360.13.camel@whale.core.arhont.com>

On Wed, Jun 29, 2005 at 12:52:47PM +0100, Andrei Mikhailovsky wrote:
> Hello debian fellows.
> 
> Sinc the update of apt to 0.6.x with the support of package verification
> using gnupg, I was wondering if this has been built into the packages
> that are stored in debian amd64 repositories? I've tried to implement
> this feature on my amd64 box. After fixing couple of issues with apt-key
> (linking /usr/share/keyrings/ with ln -s debian-keyring.gpg
> debian-archive-keyring.gpg, etc..) I've found out that there are more
> issues to package verification.
> 
> The apt-check-sigs is failing to verify quite a few things:
> 
> Source: deb http://amd64.debian.net/debian-pure64/ sid main contrib
>   o Origin: Debian/Debian AMD64 archive
>   o Suite: unstable/sid
>   o Date: Wed, 29 Jun 2005 00:12:54 UTC
>   o Description: Debian AMD64 archive - Unstable Development Version
>   o Signed by: Debian AMD64 Archive Key <debian-amd64@lists.debian.org>
>   * PROBLEMS WITH main (MISSING 3fec79394cb72698125030bf546aa8d4 97,
> MISSING 12bb516135b4fe217e9ec11556b484cd 13434988)
>   * PROBLEMS WITH contrib (MISSING dbfef483032b40f05c87c7f4d9d81525 100,
> MISSING 6c9ee6eaf99f8e46f24d21ff8ee0cf99 199770)
> 
> ....
> 
> The following files in /var/lib/apt/lists have not been validated.
> This could turn out to be a harmless indication that this script is
> buggy
> or out of date, or it could let trojaned packages get onto your system.
> 
> 
> amd64.debian.net_debian-pure64_dists_sid_contrib_binary-amd64_Packages.FAILED
> amd64.debian.net_debian-pure64_dists_sid_contrib_binary-amd64_Release.FAILED
> amd64.debian.net_debian-pure64_dists_sid_contrib_source_Release.FAILED
> amd64.debian.net_debian-pure64_dists_sid_contrib_source_Sources.FAILED
> amd64.debian.net_debian-pure64_dists_sid_main_binary-amd64_Packages.FAILED
> amd64.debian.net_debian-pure64_dists_sid_main_binary-amd64_Release.FAILED
> amd64.debian.net_debian-pure64_dists_sid_main_source_Release.FAILED
> amd64.debian.net_debian-pure64_dists_sid_main_source_Sources.FAILED
> 
> 
> 
> Has anyone anyone manage to make verification of packages/Release files
> work under amd64?
> 
> Many thanks for any help

I was under the impression the majority of packages in debian were not
signed, since no one has come up with a way for the buildd to sign a
package using a package maintainers key (and I imagine no one should try
either).  Perhaps the package maintainers could (maybe some already do,
not sure) sign packages from the buildd when they are done, but I don't
think that is the case at the moment.  Certainly I know debsigs just
didn't work very well before given how many packages were not signed.

Len Sorensen

Reply to:

Follow-Ups:
- Re: verification of packages with gnupg/apt-key
  - From: Cameron Patrick <cameron@patrick.wattle.id.au>
- Re: verification of packages with gnupg/apt-key
  - From: Stephen Olander Waters <debian@luy.info>

References:
- verification of packages with gnupg/apt-key
  - From: Andrei Mikhailovsky <andrei@arhont.com>

Prev by Date: verification of packages with gnupg/apt-key
Next by Date: Re: Checkpoint Firewall Client on AMD64
Previous by thread: verification of packages with gnupg/apt-key
Next by thread: Re: verification of packages with gnupg/apt-key
Index(es):
- Date
- Thread