Re: How to verify debian packages?

To: debian-security@lists.debian.org
Subject: Re: How to verify debian packages?
From: Marcin Owsiany <porridge@debian.org>
Date: Tue, 6 Nov 2007 16:55:18 +0000
Message-id: <[🔎] 20071106165517.GB17150@beczulka>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 13607247.post@talk.nabble.com>
References: <[🔎] 13607247.post@talk.nabble.com>

On Tue, Nov 06, 2007 at 06:04:40AM -0800, peterer wrote:
> 
> When I manually download debian packages (from
> http://www.debian.org/distrib/packages), how can I verify that they have not
> been tampered with?

Individual packages are not signed, so you would basically need to
manually repeat the process which APT uses for verifying package
integrity:
 - calculate package's MD5 and SHA sums
 - look up the package in the Packages file, check they match, calculate
   the Packages(.gz) file's sums
 - look that one up in a Release file
 - verify Release file's signature: Release.gpg

You can find each of these files simply by browsing the archive tree.

-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Reply to:

References:
- How to verify debian packages?
  - From: peterer <lotharster@gmail.com>

Prev by Date: How to verify debian packages?
Next by Date: Re: perl regex vulnerability - debian - pcre only?
Previous by thread: How to verify debian packages?
Next by thread: Re: perl regex vulnerability - debian - pcre only?
Index(es):
- Date
- Thread