[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian packages without md5sums

On Sun, 23 Sep 2007 17:32:20 +0900, Osamu Aoki wrote:

> During etch in testing period, I recall several problems which
> errouneously made to report to be unsigned package.

Since gpg-signed packages is an "etch" innovation, it explains why I
had not encountered before the "warning" detailed below.

I am still unclear about the point in the installation process at which
the signature of the installed package is checked.

The short story at this end is:

a. I purchased a DVD set of Debian 4.0 from a Debian-listed supplier
   and followed the Debian upgrade-instructions on all points except
   the final "aptitude update" step; I assumed that this needed a live
   Internet connection and my Internet connection is too slow (which
   is why I waited for the release of the "Official DVD set before
   attempting the upgrade from Sarge).

b. Etch works perfectly.  But both during the dist-upgrade and whenever I
   now use Synaptic to install a new package from my DVD set, I get a
   "warning"  that I am installing software that "can't be
   authenticated". And that by doing this, a malicious individual could
   take control or damage my system.

I have taken the view that the DVD-supplier would not remain in
business for very long if the products that he sold had been doctored
to permit the scenario described above.

But if there is an install-step that would validate the signature on the
installed package, I would be grateful to be pointed to it. 

>> On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:
>> > On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
>> >> 
>> > these errors (untrusted packages) have to do with the new secure-apt
>> > system which uses gpg keys to confirm the signatures on
>> > packages. Install the debian-archive-keyring package and then update.
>> > 
>> The package was installed by default during the upgrade to Etch.  But
>> the documentation on how to use it is sparse.  A new (December 2003!) apt
>> routine - apt-key - can now be invoked and offers the following options:
>> | Usage: apt-key [command] [arguments]
>> | 
>> | Manage apt's list of trusted keys
>> | 
>> |   apt-key add <file>          - add the key contained in <file> ('-' for stdin)
>> |   apt-key del <keyid>         - remove the key <keyid>
>> |   apt-key update              - update keys using the keyring package
>> |   apt-key list                - list keys
>> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
>> authenticate the individual installed packages. 
> Oh, dpkg automatically checks it for you when you use apt-get/aptitude
> to install package.  (Unless you disable it.)

So is the answer to my question:

	"use aptitude and not Synaptic" for installing packages?
> Well look for mail archive (debian-user or debian-devel) on archive key
> issues.  You are not alone.

My next step!

Thank you for the very detailed reply.


Felix Karpfen
Public Key 72FDF9DF (DH/DSA)

Reply to: