Checking signatures of .debs (was: Re: (fwd) OpenSSH trojan!)
-----BEGIN PGP SIGNED MESSAGE-----
Marcel Weber <email@example.com> wrote:
> "Jussi Ekholm" <firstname.lastname@example.org> wrote:
>> I was just wondering about the policy, in general - too. Are the
>> "official" Debian packages created with MD5 checksum file, as well?
>> And does ``debsums'' work in conjunction with apt, so it would check
>> the package and checksum file before apt installs it? As I said, just
>> mapping my options here...
> We had this kind of discussion some weeks ago on this list. Here is my
> "resumé" that I wrote:
> In this case we can say: When doing network installs via dselect or any
> other apt-get frontend, the signatures of the .debs are checked during
> installation time, IF debsig-verify is installed. This works at least
> from dpkg 1.9.21 on.
Ok, thanks. Of course, GnuPG/PGP signature is a bit different than MD5
checksums, but thanks a lot for pointing this out for me. I just
installed ``debsig-verify'' -- is it supposed to add some extra messages
to usual apt's messages? Something like "Good signature" or such? Ah
well, maybe I should read ``debsig-verify(1)'' and other documentation
that comes along. :-) Oh, and I have dpkg 1.10, so it should work if
what you say holds true.
Thanks again for your help.
Jussi Ekholm -- <email@example.com> -- http://erppimaa.ihku.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----