[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

packages authenticity

Hi, I was wondering it there is any authenticity checking for the debian
package, because we signed the md5sum file with our gpg/pgp key, but how can
the user to make sure if these signs belogs to the valid package maintainer?

redhat packages are signed with the One Valid redhat key so I suggest to
sign somehow like that.

Eg. packages done, there is the md5 sum, maintainer signs that, and when the
package will be dinstalled, the Debian system signs it with the centralised

Or am I wrong and is there any other solution to check if the package is the
original one, and isn't it hacked?

Tamas SZERB <toma@rulez.org>
GPG public key: http://alabama.rulez.org/~toma/gpgkey-toma.asc

Reply to: