Re: backports
Florian Kulzer wrote:
> On Sun, Jun 24, 2007 at 08:54:05 +0100, Chris Lale wrote:
>> Florian Kulzer wrote:
>> [...]
>>> An even better approach would be to download the Backports.org Archive
>>> Key manually and to check the signature before adding the new key to
>>> apt's keyring. (Installing the debian-backports-keyring package directly
>>> means that an unverified post-installation script has root on your
>>> computer, therefore you cannot really trust anything after that,
>>> including the keys on the Debian keyring.)
>>>
>>> P.S. The same goes for the debian-multimedia-keyring package.
>>>
>> Yes, Florian, you must be right! I wonder why they offer the keyring package?
>
> The keyring package allows automatic installation of new signing keys,
> just like debian-archive-keyring for the normal Debian pool. This is
> safe - or at least as "safe" as your basic trust in Debian is - provided
> that you perform the initial check. From the on, each new key can be
> verified (automatically) with the old key during a transition period and
> the chain of trust remains intact. (I don't know how often they will
> issue a new key for the backports archive, though; the normal Debian
> archive keys get updated at least once a year.)
>
>> The instructions page does give instructions about how to install the key -
>> and no mention of the debian-backports-keyring package:
>>
>> ... you can import backports.org archive’s key into apt:
>>
>> gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
>> gpg --export | apt-key add -
>>
>> or
>>
>> wget -O - http://backports.org/debian/archive.key | apt-key add -
>>
>> No mention of how to check it though. Can you check the sig before installing
>> the key?
>
> Yes, you can: Just run the "gpg ... --recv-keys ..." command as your
> normal user and the new key will be added (as untrusted) to your normal
> user's public keyring. Then you can perform the check:
>
> $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 16BA136C
>
> and make sure that Joerg Jaspert's signature (key 7E7B8AC9) is valid.
> After that you can feed the key to apt
>
> $ gpg -a --export 16BA136C | sudo apt-key add -
>
> and you are all set. If you do not want to use sudo then you can export
> the key to a file before you become root:
>
> $ gpg -a --export 16BA136C > backports-archive-key.txt
> # apt-key add backports-archive-key.txt
>
> If you have problems with the keyserver then you can use the wget
> command to add the key to your public keyring:
>
> $ wget -O - http://backports.org/debian/archive.key | gpg --import -
>
> Then you can perform the same check before you tell apt to trust the
> key. I would avoid running anything as root except for the apt-key
> command.
>
How to you check the output of "gpg --check-sigs"? I Googled a bit and it seems
that an exclamation mark ("!") indicates a successful check. Is that true?
eg
$ gpg --check-sigs --keyring /usr/share/keyrings/debian-backports-keyring.gpg
/usr/share/keyrings/debian-backports-keyring.gpg
------------------------------------------------
pub 1024D/16BA136C 2005-08-21
uid Backports.org Archive Key <ftp-master@backports.org>
sig!3 16BA136C 2005-08-21 Backports.org Archive Key
<ftp-master@backports.org>
sig!3 16BA136C 2005-08-21 Backports.org Archive Key
<ftp-master@backports.org>
sub 2048g/5B82CECE 2005-08-21
sig! 16BA136C 2005-08-21 Backports.org Archive Key
<ftp-master@backports.org>
I wanted to find a generic method of importing and checking keys for a number of
unofficial deb sites. It is difficult to find the key ids on some of the
websites. One thing they all had in common was having a keyring package. I tried
backports.org, debian-multimedia.org and debian-unofficial.org. So, here is my
generic method:
1. Add the appropriate line to /etc/apt/sources.list.
2. Update with apt-get or aptitude.
3. Install the appropriate keyring package (eg debian-multimedia-keyring). The
keyrings all end up in /etc/share/keyrings/${package-name}.gpg
4. Check the signatures IMMEDIATELY eg
$ gpg --check-sigs --keyring /usr/share/keyrings/debian-multimedia-keyring.gpg
5. If the check fails,
a.purge the keyring package and check that the keyring subdirectory has been
removed from /etc/share/keyrings/.
b. You can still install packages from the suspect repository, but there will be
a warning. To be safe, remove the repository line from /etc/apt/sources.list.
--
Chris.
Reply to:
- Follow-Ups:
- Re: backports
- From: Florian Kulzer <florian.kulzer+debian@icfo.es>