Re: Suggest instructions for how to use volitile archive signing key

To: debian-www@lists.debian.org
Subject: Re: Suggest instructions for how to use volitile archive signing key
From: Alexander Blazej <alexander.blazej@gmail.com>
Date: Sun, 06 May 2007 18:32:26 -0700
Message-id: <[🔎] 1178501546.16365.52.camel@localhost>
In-reply-to: <[🔎] 1178500675.16365.43.camel@localhost>
References: <[🔎] 1178498389.16365.26.camel@localhost> <[🔎] 1178500675.16365.43.camel@localhost>

I suggested the text:

To ensure the packages in the volatile master and mirror archives have
not been tampered with, the packages are are digitally signed.

You may wish to have "digitally signed" link to
http://wiki.debian.org/SecureApt



On Sun, 2007-05-06 at 18:17 -0700, Alexander Blazej wrote:
> Errors in my email:
> 
> 1) "apt-key" is not a package.  The program is included in the "apt"
> package, which also includes the "apt-get" program.  To correct this
> error, instead use this command:
> 
> apt-get update ; apt-get install curl ; curl http://www.debian.org/volatile/etch-volatile.asc | apt-key add -
> 
> 2) The sarge "apt" package does NOT contain "apt-key". To verify see:
> http://packages.debian.org/cgi-bin/search_contents.pl?searchmode=filelist&word=apt&version=oldstable&arch=i386
> I don't think apt-key existed in any sarge package, so the the command I
> suggested using won't work in sarge.
> I won't try to give instructions on how to set up the Sarge signature
> since I don't have a system to test on, and I wouldn't know if I should
> add the key to /etc/apt/trusted.gpg  or /root/.gnupg/pubring.gpg
> 
> 
> I apologize for the errors.
> 
> On Sun, 2007-05-06 at 17:39 -0700, Alexander Blazej wrote:
> > The page:
> > 
> > http://www.debian.org/volatile/
> > 
> > has the text:
> > 
> > Archive signing key
> > Please see ziyi-sarge.asc for sarge, and etch-volatile.asc for etch.
> > 
> > 
> > I, and I suspect others, would appreciate a more verbose instructions.
> > Please consider using this text:
> > 
> > To ensure the packages in the volatile master and mirror archives have
> > not been tampered with, the packages are are digitally signed.  You need
> > to configure your system to recognize this signature.
> > 
> > If your system is running the Etch version on Debian, run as root:
> > apt-get update ; apt-get install curl apt-key ; curl http://www.debian.org/volatile/etch-volatile.asc | apt-key add -
> > 
> > If your system is running the Sarge version on Debian, run as root:
> > apt-get update ; apt-get install curl apt-key ; curl http://www.debian.org/volatile/ziyi-sarge.asc | apt-key add -
> > 
> > If your system encounters an unknown signature, you will get a warning such as:
> > 
> > W: GPG error: http://volatile.debian.org etch/volatile Release: The
> > following signatures couldn't be verified because the public key is not
> > available: NO_PUBKEY F193B82C012D9230
> > 
> >

Reply to:

References:
- Suggest instructions for how to use volitile archive signing key
  - From: Alexander Blazej <alexander.blazej@gmail.com>
- Re: Suggest instructions for how to use volitile archive signing key
  - From: Alexander Blazej <alexander.blazej@gmail.com>

Prev by Date: Re: Suggest instructions for how to use volitile archive signing key
Next by Date: Debian distributors
Previous by thread: Re: Suggest instructions for how to use volitile archive signing key
Next by thread: Debian distributors
Index(es):
- Date
- Thread