Re: thoughts on signature verification
On Thu, Aug 08, 2002 at 01:04:34AM -0400, Colin Walters wrote:
> Also, I do think that we could create a good default policy which would
> provide a reasonable amount of additional security, and not be too
> intrusive. Basically, the policy should default to verifying against
> the Debian keyring, or /etc/dpkg/local-keys.gpg or something. That way
> someone applying to NM could just drop their key in that file, and tell
> their sponsor to do the same.
] $ cat /etc/dpkg/sourcekeys.conf
> Of course, we really need to make apt verify the Release signature
Apt can/should handle things in a more complicated way; in particular if
it's downloading packages from Debian it should expect a Debian signature,
while downloading Blackdown Java or OpenOffice.org stuff should have a
signature from a Blackdown or OpenOffice.org key.
Dpkg, OTOH, can't tell where a package is meant to have come from, so can
a) Check the signature's valid, and report who signed it
b) Expect the user to tell it which keyring to use, and check that
the key's in that keyring (dpkg-source --from=debian -x *.dsc)
c) Check that the signature is from the "Maintainer:"
Anthony Towns <email@example.com> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``If you don't do it now, you'll be one year older when you do.''