Re: GPG verification of apt packages
On 03/02/2021 21:50, Ramin Doe wrote:
> It's not entirely clear to me what the CIS guideline was expecting me to
> do. It says:
>
> Verify GPG keys are configured correctly for your package manager:
> # apt-key list
>
> Perhaps they want me to install apt-key, and use it to look at the gpg
> keys installed on my system, and then somehow verify that they aren't
> compromised? Does that sound like I'm understanding them correctly?
apt-key is considered deprecated (check the man: apt-key(8)). However,
what this command does is show you the list of keys trusted for package
installation.
I guess it's to make sure you have only legit keys there - but I didn't
read those guidelines, so I can't be completely sure :)
Cheers,
--
nodens
Reply to: