[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: AW: dselect / apt-get and packages

Quoting Marcel Weber (mmweber@ncpro.com):

> A. Do I have to do something to activate this feature, besides of 
> installing debsigxxx? For example setting a flag in a config file. The 
> dpkg and dselect man pages do not say anything about the signature 
> verification (as for 1.9.21 on woody).

I noticed this, too.  It's unfortunate.

I'm not the right guy to answer your questions, but I've at least seen
discussion of this matter before, and am trying to look up details while
writing this.

The matter was argued at length on the debian-dpkg list, starting here:
All you have to do is install debsig-verify.  If the latter is present,
dpkg will automatically check the signature of any package to be
installed, and die if verification fails (except where overridden using
a "--force-bad-verify" switch, or possibly --no-debsig, which you'll
want to check). 

I notice from browsing through the above-referenced thread a distinction
between release signatures (picked up when using apt) and deb
signatures.  Different mechanisms.  The dpkg patch under discussion
checks the latter.

In invoking debsig-verify, dpkg can follow a local policy file, which 
I gather specifies which keyring of signatures are considered
authoritative.  I would guess that the debian-keyring package's files
(/usr/share/keyrings/debian-keyring.gpg, /usr/share/keyrings/debian-keyring.pgp)
are in the format required.

Above summary is guaranteed to be shallow:  Browsing the debian-dpkg 
thread suggests that issues abound, and that (no surprise) careful
thinking about process and threat models is needed.

Cheers,            There are only 10 types of people in this world -- 
Rick Moen          those who understand binary arithmetic and those who don't.

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: