Re: .deb integrity check
Amos Shapira wrote:
> It should be somehow possible to verify WHICH key should be verified,
> and be able to obtain this in an independent way (i.e. if the package
> is modified, and the key to be verified is directed to the cracker's
> key then your verification wouldn't reveal this, would it?).
If the package has to be signed by a key in the debian keyring, which itself
must be signed by a single key, they can't do this.
It then becomes a matter of making sure people know what that key is and
preventing anyone from replacing it with a different key somewhere. I think
that's where we left off last time this discussion came around.
--
see shy jo
Reply to: