Re: thoughts on signature verification
On Thu, Aug 08, 2002 at 01:04:34AM -0400, Colin Walters wrote:
> Also, I do think that we could create a good default policy which would
> provide a reasonable amount of additional security, and not be too
> intrusive. Basically, the policy should default to verifying against
> the Debian keyring, or /etc/dpkg/local-keys.gpg or something. That way
> someone applying to NM could just drop their key in that file, and tell
> their sponsor to do the same.
] $ cat /etc/dpkg/sourcekeys.conf
] /usr/share/keyrings/debian-keyring.pgp
] /usr/share/keyrings/debian-keyring.gpg
] /home/newbie/.gnupg/trustedkeys.gpg
could work.
> Of course, we really need to make apt verify the Release signature
> too...
Apt can/should handle things in a more complicated way; in particular if
it's downloading packages from Debian it should expect a Debian signature,
while downloading Blackdown Java or OpenOffice.org stuff should have a
signature from a Blackdown or OpenOffice.org key.
Dpkg, OTOH, can't tell where a package is meant to have come from, so can
only do:
a) Check the signature's valid, and report who signed it
b) Expect the user to tell it which keyring to use, and check that
the key's in that keyring (dpkg-source --from=debian -x *.dsc)
c) Check that the signature is from the "Maintainer:"
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``If you don't do it now, you'll be one year older when you do.''
Reply to: