Re: Howto verify packages with apt-get (gpg?)

To: debian-security@lists.debian.org
Subject: Re: Howto verify packages with apt-get (gpg?)
From: Fred Bowman <nospam@xonx.de>
Date: Sat, 30 Nov 2002 12:28:35 +0100
Message-id: <[🔎] 3DE8A0E3.4080908@xonx.de>
References: <[🔎] 3DE77EA1.1080207@xonx.de> <3326318043.20021129174032@hnc.cc>

Benjamin Schulz schrieb:

how can i proof, that the package is ok? md5sum is not satisfactory.


why not?

imagine that a package, which is provided on a server, is manipulated(trojan). there would be no problem for the bad guy to manipulate themd5sum, too (if provided on the same server). he just has to build itfrom the new package (trojan) and then replace the old one with the new.signatures of files can not be as easily manipulated as md5sums.therefore you need to have the secret key and passphrase to sign the newpackage.


Thanx to everybody for your hints.

Greetings,
Fred

Reply to:

Follow-Ups:
- Re: Howto verify packages with apt-get (gpg?)
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>

References:
- Howto verify packages with apt-get (gpg?)
  - From: Fred Bowman <nospam@xonx.de>

Prev by Date: Re: SNORT not adding entries to snort/portscan ???
Next by Date: Re: Howto verify packages with apt-get (gpg?)
Previous by thread: Re: Howto verify packages with apt-get (gpg?)
Next by thread: Re: Howto verify packages with apt-get (gpg?)
Index(es):
- Date
- Thread