Re: GPG verification of apt packages

To: debian-security@lists.debian.org
Cc: Ramin Doe <ramindough@gmail.com>
Subject: Re: GPG verification of apt packages
From: Clément Hermann <nodens@nodens.org>
Date: Thu, 4 Feb 2021 10:06:15 +0100
Message-id: <[🔎] 02d2d966-3d0b-7336-f4ec-e67a601bcef6@nodens.org>
Reply-to: debian-security@lists.debian.org
In-reply-to: <[🔎] CAH48_5z1tBn6jWc-yL7WyFyag5R39DmeXvRw21qouxraOq6-Tg@mail.gmail.com>
References: <CAH48_5zp7Qd4DUnLUECnbepm84vwyLsY3zBOW=-kL_QbaeKBaw@mail.gmail.com> <YBJLJjOXaJ2of9e9@doom.morgul.net> <CAH48_5w9_x1HBtE+rn67rbEucAe9aP=T8V-opAx7jqV-+C75zQ@mail.gmail.com> <YBMW/Inh58T0lv3h@doom.morgul.net> <[🔎] CAH48_5z1tBn6jWc-yL7WyFyag5R39DmeXvRw21qouxraOq6-Tg@mail.gmail.com>

On 03/02/2021 21:50, Ramin Doe wrote:
> It's not entirely clear to me what the CIS guideline was expecting me to
> do. It says:
> 
>     Verify GPG keys are configured correctly for your package manager:
>     # apt-key list
> 
> Perhaps they want me to install apt-key, and use it to look at the gpg
> keys installed on my system, and then somehow verify that they aren't
> compromised? Does that sound like I'm understanding them correctly?

apt-key is considered deprecated (check the man: apt-key(8)). However,
what this command does is show you the list of keys trusted for package
installation.

I guess it's to make sure you have only legit keys there - but I didn't
read those guidelines, so I can't be completely sure :)

Cheers,

-- 
nodens

Reply to:

References:
- Re: GPG verification of apt packages
  - From: Ramin Doe <ramindough@gmail.com>

Prev by Date: Re: GPG verification of apt packages
Next by Date: Re: Upcoming stable point release (10.8)
Previous by thread: Re: GPG verification of apt packages
Next by thread: Re: Upcoming stable point release (10.8)
Index(es):
- Date
- Thread