On Sat, 2014-04-05 at 16:52 +0000, Elmar Stellnberger wrote:
Am 05.04.2014 15:23, schrieb Patrick Schleizer:
As Debian package headers do not use to be signed
I think you are mistaken here or maybe I misunderstand. When you have a
Debian medium you trust (such as a Live DVD from a trusted source), we
can regard keys in /etc/apt/trusted.gpg.d/ and /etc/apt/trusted.gpg as
trusted.
For example http://ftp.us.debian.org/debian/dists/jessie/InRelease and
http://ftp.us.debian.org/debian/dists/jessie/Release.gpg are gpg signed
by the Debian archive key.
Ah, many thanks for that advice. I had just looked at the Release file
which was and still is not signed (am I right?! - have just checked this
file).
As the message you quoted says, there's a detached signature available
in the same location.
Regards,
Adam