Re: verification of packages with gnupg/apt-key
On Wed, Jun 29, 2005 at 12:52:47PM +0100, Andrei Mikhailovsky wrote:
> Hello debian fellows.
>
> Sinc the update of apt to 0.6.x with the support of package verification
> using gnupg, I was wondering if this has been built into the packages
> that are stored in debian amd64 repositories? I've tried to implement
> this feature on my amd64 box. After fixing couple of issues with apt-key
> (linking /usr/share/keyrings/ with ln -s debian-keyring.gpg
> debian-archive-keyring.gpg, etc..) I've found out that there are more
> issues to package verification.
>
> The apt-check-sigs is failing to verify quite a few things:
>
> Source: deb http://amd64.debian.net/debian-pure64/ sid main contrib
> o Origin: Debian/Debian AMD64 archive
> o Suite: unstable/sid
> o Date: Wed, 29 Jun 2005 00:12:54 UTC
> o Description: Debian AMD64 archive - Unstable Development Version
> o Signed by: Debian AMD64 Archive Key <debian-amd64@lists.debian.org>
> * PROBLEMS WITH main (MISSING 3fec79394cb72698125030bf546aa8d4 97,
> MISSING 12bb516135b4fe217e9ec11556b484cd 13434988)
> * PROBLEMS WITH contrib (MISSING dbfef483032b40f05c87c7f4d9d81525 100,
> MISSING 6c9ee6eaf99f8e46f24d21ff8ee0cf99 199770)
>
> ....
>
> The following files in /var/lib/apt/lists have not been validated.
> This could turn out to be a harmless indication that this script is
> buggy
> or out of date, or it could let trojaned packages get onto your system.
>
>
> amd64.debian.net_debian-pure64_dists_sid_contrib_binary-amd64_Packages.FAILED
> amd64.debian.net_debian-pure64_dists_sid_contrib_binary-amd64_Release.FAILED
> amd64.debian.net_debian-pure64_dists_sid_contrib_source_Release.FAILED
> amd64.debian.net_debian-pure64_dists_sid_contrib_source_Sources.FAILED
> amd64.debian.net_debian-pure64_dists_sid_main_binary-amd64_Packages.FAILED
> amd64.debian.net_debian-pure64_dists_sid_main_binary-amd64_Release.FAILED
> amd64.debian.net_debian-pure64_dists_sid_main_source_Release.FAILED
> amd64.debian.net_debian-pure64_dists_sid_main_source_Sources.FAILED
>
>
>
> Has anyone anyone manage to make verification of packages/Release files
> work under amd64?
>
> Many thanks for any help
I was under the impression the majority of packages in debian were not
signed, since no one has come up with a way for the buildd to sign a
package using a package maintainers key (and I imagine no one should try
either). Perhaps the package maintainers could (maybe some already do,
not sure) sign packages from the buildd when they are done, but I don't
think that is the case at the moment. Certainly I know debsigs just
didn't work very well before given how many packages were not signed.
Len Sorensen
Reply to: