Re: thoughts on signature verification
> Apt can/should handle things in a more complicated way; in particular if
> it's downloading packages from Debian it should expect a Debian signature,
> while downloading Blackdown Java or OpenOffice.org stuff should have a
> signature from a Blackdown or OpenOffice.org key.
> Dpkg, OTOH, can't tell where a package is meant to have come from, so can
> only do:
> a) Check the signature's valid, and report who signed it
> b) Expect the user to tell it which keyring to use, and check that
> the key's in that keyring (dpkg-source --from=debian -x *.dsc)
> c) Check that the signature is from the "Maintainer:"
You really need the read the debsig-verify package signing docs. In
fact, anything can tell with a good bit of security, just where a
package came from. The signing policy handles this. Apt and/or dpkg
simply call debsig-verify (note, the URL you download it from is not a
security measure, especially considering lots of people have local
mirrors, or hand-downloaded packages).
Debian - http://www.debian.org/
Linux 1394 - http://linux1394.sourceforge.net/
Subversion - http://subversion.tigris.org/
Deqo - http://www.deqo.com/