[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Checking signatures of .debs (was: Re: (fwd) OpenSSH trojan!)

Hash: SHA1

Marcel Weber <mmweber@ncpro.com> wrote:
> "Jussi Ekholm" <ekhowl@goa-head.org> wrote:
>> I was just wondering about the policy, in general - too. Are the
>> "official" Debian packages created with MD5 checksum file, as well?
>> And does ``debsums'' work in conjunction with apt, so it would check
>> the package and checksum file before apt installs it? As I said, just
>> mapping my options here...
> We had this kind of discussion some weeks ago on this list. Here is my
> "resumé" that I wrote:

> In this case we can say: When doing network installs via dselect or any 
> other apt-get frontend, the signatures of the .debs are checked during 
> installation time, IF debsig-verify is installed. This works at least 
> from dpkg 1.9.21 on.

Ok, thanks. Of course, GnuPG/PGP signature is a bit different than MD5
checksums, but thanks a lot for pointing this out for me. I just
installed ``debsig-verify'' -- is it supposed to add some extra messages
to usual apt's messages? Something like "Good signature" or such? Ah
well, maybe I should read ``debsig-verify(1)'' and other documentation
that comes along. :-) Oh, and I have dpkg 1.10, so it should work if
what you say holds true. 

Thanks again for your help.

- -- 
Jussi Ekholm  --  <ekhowl@goa-head.org>  --  http://erppimaa.ihku.org/
Version: GnuPG v1.0.7 (GNU/Linux)


Reply to: