Re: How to verify package integrity after they have been downloaded?

["Alexander Konovalenko" <alexkon@gmail.com>]

On Sun, Apr 6, 2008, Bernd Eckenfels <ecki@lina.inka.de> wrote:
>
>  It should be possible to verify the package on install time. (Especially
>  when not using apt-get).
>
>  Not sure if debsig-verify can work in that environment.

debsig-verify is not applicable in my case. It implements a different
checking scheme from apt-secure with a different chain of trust.
debsig-verify can check the signature of the individual who prepared a
package, while apt-secure verifies the signature of archive
maintainers which applies to all packages. debsig-verify cannot verify
the archive maintainers' signature (Release.gpg).

I trust the archive maintainers and have a secure way to get a copy of
their public key. I don't trust individual developers and cannot have
all of their keys securely distributed to me.

As far as I know, debsig-verify is not currently in use neither by
Debian nor by Ubuntu, and many packages lack a signature. Securing
Debian Manual (section 7.4.5) even says that signatures from
developers are stripped when the packages enter the archive because
the preferred method of verification is secure apt.

  -- Alexander