Re: signed packages/releases
Robert Lemmen <firstname.lastname@example.org> writes:
> hi folks,
> can anyone tell me what the status of the package/release
> signing/verifying is? is anyone (who?) working on it?
> i am extremly interested in this feature and would like to help as much
> as i can ...
Release files are signed in Release.gpg. The Release files contain
md5sum and sizes of the Packages and Sources files and they are
verified through that. The Packages and Sources files contain md5sum
and size of the debs and sources and they are in turn verified.
What needs to be done is to check the Release files signature against
the Release file. Don't think thats done automatically yet.
Apart from that mechanism uploads from maintainers are signed in the
changes files, but that information is lost during installation in the
Uploads from buildd's, which is the majority of uploads, cannot be
signed safely. It would be too easy to steal the buildds gpg key and
fake signed packages.
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org