Re: Debian packages without md5sums

To: debian-user@lists.debian.org
Subject: Re: Debian packages without md5sums
From: Felix Karpfen <felixk@webone.com.au>
Date: Mon, 24 Sep 2007 05:37:51 +0000 (UTC)
Message-id: <[🔎] fd7ifd$lnh$1@sea.gmane.org>
Reply-to: felix@spodzone.org.uk
References: <[🔎] fc4ca6$5tg$1@sea.gmane.org> <[🔎] 20070911181553.GB18618@localhost.localdomain> <[🔎] fc9lgh$j1h$1@sea.gmane.org> <[🔎] 20070923083220.GA23398@debian.org>

On Sun, 23 Sep 2007 17:32:20 +0900, Osamu Aoki wrote:

(Edited)
>
> During etch in testing period, I recall several problems which
> errouneously made to report to be unsigned package.

Since gpg-signed packages is an "etch" innovation, it explains why I
had not encountered before the "warning" detailed below.

I am still unclear about the point in the installation process at which
the signature of the installed package is checked.

The short story at this end is:

a. I purchased a DVD set of Debian 4.0 from a Debian-listed supplier
   and followed the Debian upgrade-instructions on all points except
   the final "aptitude update" step; I assumed that this needed a live
   Internet connection and my Internet connection is too slow (which
   is why I waited for the release of the "Official DVD set before
   attempting the upgrade from Sarge).

b. Etch works perfectly.  But both during the dist-upgrade and whenever I
   now use Synaptic to install a new package from my DVD set, I get a
   "warning"  that I am installing software that "can't be
   authenticated". And that by doing this, a malicious individual could
   take control or damage my system.

I have taken the view that the DVD-supplier would not remain in
business for very long if the products that he sold had been doctored
to permit the scenario described above.

But if there is an install-step that would validate the signature on the
installed package, I would be grateful to be pointed to it. 

>> On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:
>> 
>> > On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
>> >> 
>> > these errors (untrusted packages) have to do with the new secure-apt
>> > system which uses gpg keys to confirm the signatures on
>> > packages. Install the debian-archive-keyring package and then update.
>> > 
>> The package was installed by default during the upgrade to Etch.  But
>> the documentation on how to use it is sparse.  A new (December 2003!) apt
>> routine - apt-key - can now be invoked and offers the following options:
>> 
>> | Usage: apt-key [command] [arguments]
>> | 
>> | Manage apt's list of trusted keys
>> | 
>> |   apt-key add <file>          - add the key contained in <file> ('-' for stdin)
>> |   apt-key del <keyid>         - remove the key <keyid>
>> |   apt-key update              - update keys using the keyring package
>> |   apt-key list                - list keys
>> 
>> 
>> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
>> authenticate the individual installed packages. 
> 
> Oh, dpkg automatically checks it for you when you use apt-get/aptitude
> to install package.  (Unless you disable it.)

So is the answer to my question:

	"use aptitude and not Synaptic" for installing packages?
> 
> 
> Well look for mail archive (debian-user or debian-devel) on archive key
> issues.  You are not alone.

My next step!

Thank you for the very detailed reply.

Felix

-- 
Felix Karpfen
Public Key 72FDF9DF (DH/DSA)

Reply to:

References:
- Debian packages without md5sums
  - From: Felix Karpfen <felixk@webone.com.au>
- Re: Debian packages without md5sums
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>
- Re: Debian packages without md5sums
  - From: Felix Karpfen <felixk@webone.com.au>
- Re: Debian packages without md5sums
  - From: Osamu Aoki <osamu@debian.org>

Prev by Date: Re: how to remote login and copy files?
Next by Date: How to reduce pdf file size with open source software?
Previous by thread: Re: Debian packages without md5sums
Next by thread: dual purpose USB-key
Index(es):
- Date
- Thread