Re: How to verify package integrity after they have been downloaded?
On Sun, Apr 6, 2008, Bernd Eckenfels <ecki@lina.inka.de> wrote:
> In article <[🔎] c7b40f9d0804051420x54657717v67397a33e0d4651d@mail.gmail.com> you wrote:
> > I trust the archive maintainers and have a secure way to get a copy of
> > their public key. I don't trust individual developers and cannot have
> > all of their keys securely distributed to me.
>
> Yes, you would have to sign the packages with your own key after verifying
> the release file.
If you are talking about automating the verification process, that
wouldn't quite work. The system that downloads the packages might have
been compromised. The files that I would sign on that system might
have been already modified at the time when I sign them.
So I don't see how signing the packages with my own key could help
here. Am I missing something?
Reply to: