On Fri,25.Dec.09, 20:54:04, Sthu Deus wrote: > Thank You for Your time and answer, (sorry for long reply) Boyd: > > >Depends on how you got the package. There is a "chain of trust" between > >your apt keyring and the package contents. The Release and Packages files > >have detached signatures, which APT verifies to ensure they are trusted and > >not corrupt. The Packages file contains multiple hashes for each .deb > >package, which APT verifies to ensure they are trusted and not corrupt. The > >.deb package might contain a .debsums file. If not .debsums can be > >generated locally. > > When does apt checks the package integrity: at download or at install > moment? - If at install moment - then can I download w/ the help of > wget and then put into apt's package dir. so that it will install as > if it was retrieved by apt but not installed. Or apt will suppose id a > package is there- then it is verified already and will not test its > integrity? > > The, at the time of checking apt relies on keyring, then it generates > checksums - why do I need them, if apt already has checked the > package? Hello, As far as I know there are two different mechanisms: 1. secure-apt, which checks the integrity of the .deb files before installing them (I'm not sure if this is done before or after the download) 2. debsums, which checks the integrity of each file contained in a .deb. This method relies on proper information contained in each .deb which not all .debs provide. What are you trying to accomplish? Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Attachment:
signature.asc
Description: Digital signature