Re: Debian packages without md5sums
On Sun, 23 Sep 2007 17:32:20 +0900, Osamu Aoki wrote:
> During etch in testing period, I recall several problems which
> errouneously made to report to be unsigned package.
Since gpg-signed packages is an "etch" innovation, it explains why I
had not encountered before the "warning" detailed below.
I am still unclear about the point in the installation process at which
the signature of the installed package is checked.
The short story at this end is:
a. I purchased a DVD set of Debian 4.0 from a Debian-listed supplier
and followed the Debian upgrade-instructions on all points except
the final "aptitude update" step; I assumed that this needed a live
Internet connection and my Internet connection is too slow (which
is why I waited for the release of the "Official DVD set before
attempting the upgrade from Sarge).
b. Etch works perfectly. But both during the dist-upgrade and whenever I
now use Synaptic to install a new package from my DVD set, I get a
"warning" that I am installing software that "can't be
authenticated". And that by doing this, a malicious individual could
take control or damage my system.
I have taken the view that the DVD-supplier would not remain in
business for very long if the products that he sold had been doctored
to permit the scenario described above.
But if there is an install-step that would validate the signature on the
installed package, I would be grateful to be pointed to it.
>> On Tue, 11 Sep 2007 11:15:53 -0700, Andrew Sackville-West wrote:
>> > On Mon, Sep 10, 2007 at 09:17:59PM +0000, Felix Karpfen wrote:
>> > these errors (untrusted packages) have to do with the new secure-apt
>> > system which uses gpg keys to confirm the signatures on
>> > packages. Install the debian-archive-keyring package and then update.
>> The package was installed by default during the upgrade to Etch. But
>> the documentation on how to use it is sparse. A new (December 2003!) apt
>> routine - apt-key - can now be invoked and offers the following options:
>> | Usage: apt-key [command] [arguments]
>> | Manage apt's list of trusted keys
>> | apt-key add <file> - add the key contained in <file> ('-' for stdin)
>> | apt-key del <keyid> - remove the key <keyid>
>> | apt-key update - update keys using the keyring package
>> | apt-key list - list keys
>> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
>> authenticate the individual installed packages.
> Oh, dpkg automatically checks it for you when you use apt-get/aptitude
> to install package. (Unless you disable it.)
So is the answer to my question:
"use aptitude and not Synaptic" for installing packages?
> Well look for mail archive (debian-user or debian-devel) on archive key
> issues. You are not alone.
My next step!
Thank you for the very detailed reply.
Public Key 72FDF9DF (DH/DSA)