Re: thoughts on signature verification

[Ben Collins <bcollins@debian.org>]

> Apt can/should handle things in a more complicated way; in particular if
> it's downloading packages from Debian it should expect a Debian signature,
> while downloading Blackdown Java or OpenOffice.org stuff should have a
> signature from a Blackdown or OpenOffice.org key. 
> 
> Dpkg, OTOH, can't tell where a package is meant to have come from, so can
> only do:
> 
> 	a) Check the signature's valid, and report who signed it
> 	b) Expect the user to tell it which keyring to use, and check that
> 	   the key's in that keyring (dpkg-source --from=debian -x *.dsc)
> 	c) Check that the signature is from the "Maintainer:"

You really need the read the debsig-verify package signing docs. In
fact, anything can tell with a good bit of security, just where a
package came from. The signing policy handles this. Apt and/or dpkg
simply call debsig-verify (note, the URL you download it from is not a
security measure, especially considering lots of people have local
mirrors, or hand-downloaded packages).

-- 
Debian     - http://www.debian.org/
Linux 1394 - http://linux1394.sourceforge.net/
Subversion - http://subversion.tigris.org/
Deqo       - http://www.deqo.com/