Re: GPG verification of apt packages
Hi,
On 28/01/2021 19:08, Ramin Doe wrote:
> "Currently there are two different implementations for signing
> individual packages..."
> I think this is referring to the GPG signature verification mechanisms
> that are disabled by default. I'm happy to not try to not go down the
> route of enabling GPG verification, since it seems to be poorly
> documented (I haven't found a single concrete example of how to do
> this), so long as I can feel that the metadata checksum method is
> sufficiently reliable. I think that looking at the Release files would
> go a long way to relieving my anxiety about this. Any help would be
> appreciated!
Check any mirror ? e.g https://debian.ethz.ch/debian/dists/buster/
> I do wish there was an official document giving a high-level TLDR
> description of apt security, complete with caveats. As a bonus
> cherry-on-top wish, it would be awesome if it furthermore made clear
> what old mechanisms were deprecated and could be ignored!
The closest thing that comes to my mind would be
https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html.
Hope it helps!
Cheers,
--
nodens
Reply to: