[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: How to verify package integrity after they have been downloaded?

Files modified after download -> that said the system is compromise. 
In this case, the detection is very hard because you want signing with the compromise operating system.

-- Julien

On Sun, Apr 6, 2008, Bernd Eckenfels <ecki@lina.inka.de> wrote:
> In article <[🔎] c7b40f9d0804051420x54657717v67397a33e0d4651d@mail.gmail.com> you wrote:
>  > I trust the archive maintainers and have a secure way to get a copy of
>  > their public key. I don't trust individual developers and cannot have
>  > all of their keys securely distributed to me.
>
>  Yes, you would have to sign the packages with your own key after verifying
>  the release file.

If you are talking about automating the verification process, that
wouldn't quite work. The system that downloads the packages might have
been compromised. The files that I would sign on that system might
have been already modified at the time when I sign them.

So I don't see how signing the packages with my own key could help
here. Am I missing something?


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: