Re: signatures for debs installed manually

To: Morgan Storey <me@morganstorey.com>
Cc: debian-security@lists.debian.org
Subject: Re: signatures for debs installed manually
From: Celejar <celejar@gmail.com>
Date: Mon, 7 Sep 2009 22:12:18 -0400
Message-id: <[🔎] 20090907221218.5482daeb.celejar@gmail.com>
In-reply-to: <f321b0b70909071901p123627adv1493c53404a9a4c1@mail.gmail.com>
References: <[🔎] 20090907215223.b5d332f8.celejar@gmail.com> <f321b0b70909071901p123627adv1493c53404a9a4c1@mail.gmail.com>

On Tue, 8 Sep 2009 12:01:09 +1000
Morgan Storey <me@morganstorey.com> wrote:

> Hi Celejar,
> 
> You can get him to PGP/GPG sign the package, then just verify it with
> his public key, or simply mdsum and sha1sum the package. There are MD5
> collisions so someone could make a package of the same size with the
> same md5 hash that contains different malicious code but for your
> needs it should be enough.
> Obviously the safest out of all of these is the PGP/GPG but the MD5
> and sha1 are easier to implement. In this case below I don't know the
> procedures but the developer will probably have a GPG key that he can
> sign the package with, then just get his public key of a key server
> and verify.

Thanks.  I know that there are ways to do this, but I was wondering if
the developer needs to be asked in each case, or if there's some sort
of standard procedure that is followed.

Celejar
-- 
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

Reply to:

Follow-Ups:
- Re: signatures for debs installed manually
  - From: Goswin von Brederlow <goswin-v-b@web.de>

References:
- signatures for debs installed manually
  - From: Celejar <celejar@gmail.com>

Prev by Date: signatures for debs installed manually
Next by Date: Re : [SECURITY] [DSA 1883-1] New nagios2 packages fix several cross-site scriptings
Previous by thread: signatures for debs installed manually
Next by thread: Re: signatures for debs installed manually
Index(es):
- Date
- Thread