[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: thoughts on signature verification

On Thu, Aug 08, 2002 at 01:04:34AM -0400, Colin Walters wrote:
> Also, I do think that we could create a good default policy which would
> provide a reasonable amount of additional security, and not be too
> intrusive.  Basically, the policy should default to verifying against
> the Debian keyring, or /etc/dpkg/local-keys.gpg or something.   That way
> someone applying to NM could just drop their key in that file, and tell
> their sponsor to do the same.

] $ cat /etc/dpkg/sourcekeys.conf
] /usr/share/keyrings/debian-keyring.pgp
] /usr/share/keyrings/debian-keyring.gpg
] /home/newbie/.gnupg/trustedkeys.gpg

could work.

> Of course, we really need to make apt verify the Release signature
> too...

Apt can/should handle things in a more complicated way; in particular if
it's downloading packages from Debian it should expect a Debian signature,
while downloading Blackdown Java or OpenOffice.org stuff should have a
signature from a Blackdown or OpenOffice.org key. 

Dpkg, OTOH, can't tell where a package is meant to have come from, so can
only do:

	a) Check the signature's valid, and report who signed it
	b) Expect the user to tell it which keyring to use, and check that
	   the key's in that keyring (dpkg-source --from=debian -x *.dsc)
	c) Check that the signature is from the "Maintainer:"


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''

Reply to: