Re: How to verify package integrity after they have been downloaded?

["Alexander Konovalenko" <alexkon@gmail.com>]

On Sun, Apr 6, 2008, Bernd Eckenfels <ecki@lina.inka.de> wrote:
> In article <[🔎] c7b40f9d0804051420x54657717v67397a33e0d4651d@mail.gmail.com> you wrote:
>  > I trust the archive maintainers and have a secure way to get a copy of
>  > their public key. I don't trust individual developers and cannot have
>  > all of their keys securely distributed to me.
>
>  Yes, you would have to sign the packages with your own key after verifying
>  the release file.

If you are talking about automating the verification process, that
wouldn't quite work. The system that downloads the packages might have
been compromised. The files that I would sign on that system might
have been already modified at the time when I sign them.

So I don't see how signing the packages with my own key could help
here. Am I missing something?