Re: How to verify package integrity after they have been downloaded?
On Sun, Apr 6, 2008, Bernd Eckenfels <ecki@lina.inka.de> wrote:
>
> It should be possible to verify the package on install time. (Especially
> when not using apt-get).
>
> Not sure if debsig-verify can work in that environment.
debsig-verify is not applicable in my case. It implements a different
checking scheme from apt-secure with a different chain of trust.
debsig-verify can check the signature of the individual who prepared a
package, while apt-secure verifies the signature of archive
maintainers which applies to all packages. debsig-verify cannot verify
the archive maintainers' signature (Release.gpg).
I trust the archive maintainers and have a secure way to get a copy of
their public key. I don't trust individual developers and cannot have
all of their keys securely distributed to me.
As far as I know, debsig-verify is not currently in use neither by
Debian nor by Ubuntu, and many packages lack a signature. Securing
Debian Manual (section 7.4.5) even says that signatures from
developers are stripped when the packages enter the archive because
the preferred method of verification is secure apt.
-- Alexander
Reply to: