Re: verifying archive signature keys?

To: debian-security@lists.debian.org
Subject: Re: verifying archive signature keys?
From: Steffen Schulz <pepe_ml@gmx.net>
Date: Wed, 15 Aug 2007 15:38:42 +0200
Message-id: <[🔎] 20070815133842.GA29228@cbg.dyndns.org>
In-reply-to: <[🔎] 46C2BF2A.4060501@msgid.danisch.de>
References: <[🔎] 46C2BF2A.4060501@msgid.danisch.de>

Hi,

On 070815 at 11:48, Hadmut Danisch wrote:
> just a question because someone had asked me for help. The problem was
> that apt-get update had complained about not beeing able to verify
> signatures due to a missing pgp key.
> 
> Was easy to tell to do
> gpg --recv-key A70DAF536070D3A1
> gpg -a --export A70DAF536070D3A1 |  sudo apt-key add -
> 
> but: How would one verify that this key is the correct debian
> key (and not, e.g. the key used by an intruder to fake packages and
> simply uploaded to public key repositories)?

AFAIK:

The package debian-archive-keyring should contain the keys to
verifiy the archive release files.

This package is distributed with your set of CDs or whatever. Maybe you
can also get them from the debian site with https.

If the archive key can not be verified like this, eg with unofficial
repositories, you're screwed. Still, you get some 'continuity' here,
you don't intruduce an attack every time you start the update but only
once when you check-in the keys.

/steffen
-- 
pepe@unixfan.net                            gpg --recv-key A04D7875
Key fingerprint: B805 57BE E4AF 0104 CC51  77A1 CE6F 8D46 A04D 7875

Reply to:

References:
- verifying archive signature keys?
  - From: Hadmut Danisch <hadmut@danisch.de>

Prev by Date: Re: verifying archive signature keys?
Next by Date: secure installation
Previous by thread: Re: verifying archive signature keys?
Next by thread: secure installation
Index(es):
- Date
- Thread