Re: Does net install cryptographically verify downloaded data?
On Thu, Jul 05, 2018 at 12:02:28PM +0300, Georgi Guninski wrote:
> Does net install cryptographically verify downloaded data?
>
> Searching the iso for gpg/keyrings didn't return any results for me.
Sorry, sent too fast, so missed two crucial bits:
- The net install image contain a minimal set of packages to
"bootstrap" the installation from. This includes the package which
installs the keys used to sign the Release files in the Debian
archive which will be used by the netinstall process.
- While individual packages are signed, APT actually verifies that
the Release file it obtained from the archive has correct signature
and. The Release file contains the checksums of the Packages files,
which contain the checksums of the individual packages.
Hence the validity of the signature of the Release file authenticates
the individual packages indirectly - via checksumming.
Reply to: