Re: apt gpg keys/signatures
Ritesh Raj Sarraf <firstname.lastname@example.org> writes:
> Hi Goswin
> On Wednesday 07 Oct 2009 10:10:45 Goswin von Brederlow wrote:
>> Which is what I said. You just put the files into /var/lib/apt/lists/
>> under the right name and apt assumes they check out. It doesn't
>> actualy verify them any more once they passed the initial verify and
>> left /partial/.
>> Then, to get apt to parse the files you placed there you run
>> apt_get --no-download update
>> That should blindly accept the files as trusted.
> This was exactly what I was doing earlier. I was writing them directly to
> /var/lib/apt/lists. Only with the exception that I was skipping the
> Release.gpg files.
> The downloaded files are archive files, so I was extracting them and then
> writing. And then if I did "apt-get upgrade", it would complain of untrusted
> Perhaps if I allowed apt-get to do the extraction, it would have marked them
> as trusted.
No, trusted is when the Release.gpg file exists. The existance of that
file and only that existance matters.
> Anyway, what I have ended up with looks good. Doing a secure check of the apt
> updates should be good. :-)
> Actually this will help a lot. Person A gives apt-offline signature to Person B
> (A friend, running Windows) to download it for him. Person B downloaded
> something and returned back to Person A. At this point PersonA has an option
> to be ensured that the data he is going to sync to apt is really from Debian
> or not.
Yeah, don't forget to actually do check the Release.gpg before copying
it into the apt directory. As said apt never checks the file if you
put it there.