Re: backports

To: debian-user@lists.debian.org
Subject: Re: backports
From: Florian Kulzer <florian.kulzer+debian@icfo.es>
Date: Sun, 24 Jun 2007 01:07:45 +0200
Message-id: <[🔎] 20070623230745.GA4063@localhost>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 467D4A23.1080002@untrammelled.co.uk>
References: <[🔎] 921460.65725.qm@web58904.mail.re1.yahoo.com> <[🔎] 467CE0D9.2080905@untrammelled.co.uk> <[🔎] 20070623160324.GA14166@dementia.proulx.com> <[🔎] 467D4A23.1080002@untrammelled.co.uk>

On Sat, Jun 23, 2007 at 17:28:19 +0100, Chris Lale wrote:
> Bob Proulx wrote:

[...]

> > In backports-users Alexander Wirt wrote:
> >> I have uploaded the bpo keyring to the archive which makes it
> >> possible to add the bpo archive signing key via apt-get install
> >> debian-backports-keyring to you apt keyring. I hope I haven't missed
> >> anything but please test it.
> > 
> >   apt-cache show debian-backports-keyring
> > 
> >   Description: GnuPG archive key of the backports.org repository
> >    The backports repository digitally signs its Release files. This package
> >    contains the repository key used for that.
> >
> 
> Thanks Bob! You learn something new every day. :)
> 
> I might add that this package comes from the debian-backports repository itself,
> so you need to add the repository to /etc/apt/sources.list, "aptitude update",
> ignore the GPG error and "aptitude install debian-backports-keyring" to avoid
> GPG errors in future.

After installing the debian-backports-keyring package I would at least
check the signatures of the new key, like this:

--------------------

$ cd /usr/share/keyrings/
$ gpg --no-default-keyring --keyring ./debian-backports-keyring.gpg --keyring ./debian-keyring.gpg --check-sig "Backports.org Archive Key"
pub   1024D/16BA136C 2005-08-21
uid                  Backports.org Archive Key
sig!         7E7B8AC9 2005-11-20  Joerg Jaspert
sig!3        16BA136C 2005-08-21  Backports.org Archive Key
sig!3        16BA136C 2005-08-21  Backports.org Archive Key
sub   2048g/5B82CECE 2005-08-21
sig!         16BA136C 2005-08-21  Backports.org Archive Key

1 signature not checked due to a missing key

--------------------

(I have removed all email addresses from the output of the gpg command.)

Then you know at least that the new key has been signed by Joerg Jaspert
and you checked his signature using his public key from the
debian-keyring package. (The second signature cannot be checked because
that key is not part of the Debian keyring.)

An even better approach would be to download the Backports.org Archive
Key manually and to check the signature before adding the new key to
apt's keyring. (Installing the debian-backports-keyring package directly
means that an unverified post-installation script has root on your
computer, therefore you cannot really trust anything after that,
including the keys on the Debian keyring.)

P.S. The same goes for the debian-multimedia-keyring package.

-- 
Regards,            | http://users.icfo.es/Florian.Kulzer
          Florian   |

Reply to:

Follow-Ups:
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>

References:
- backports
  - From: Francesco Pietra <chiendarret@yahoo.com>
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>
- Re: backports
  - From: bob@proulx.com (Bob Proulx)
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>

Prev by Date: Re: Sed advice needed
Next by Date: Re: scripting - cat breaking line
Previous by thread: Re: backports
Next by thread: Re: backports
Index(es):
- Date
- Thread