[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Official Debian digital 'branding' of debs

Gunnar.Isaksson@saab.se writes:

> Dear Sirs,
> I have noticed that debian sources are PGP signed by their
> package maintainers but the debian binaries are not signed.
> Since I work in a very security aware environment I would
> like every debian binary to also be PGP signed.

You can check the md5sums against the once from the Packages file. And 
the package file should probably be signed somehow to ensure its
correct. Or you can get the original packages file via ssh if you are
a maintainer.

Signing all packages automatically during upload is too risky in my
eyes, since then that main key would float around and be hacked too
easily. Signing all packages by the maintainers is not possible for
autobuild deamons and thus not worth at all to demand.


May the Source be with you.

Reply to: