[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian packages without md5sums



Daniel Burrows <dburrows@debian.org> writes:

> On Mon, Sep 24, 2007 at 05:37:51AM +0000, Felix Karpfen <felixk@webone.com.au> was heard to say:
> > >> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> > >> authenticate the individual installed packages. 
> > > 
> > > Oh, dpkg automatically checks it for you when you use apt-get/aptitude
> > > to install package.  (Unless you disable it.)
> > 
> > So is the answer to my question:
> > 
> > 	"use aptitude and not Synaptic" for installing packages?
> 
>   It shouldn't matter which frontend you use.  All the major frontends
> check the signature of the Release file when you download package lists
> from the archive.  The Release file contains a cryptographic checksum
> for the Packages file, which contains checksums for each individual .deb
> package.
> 
>   dpkg performs no key checking, at least on packages in the Debian
> archive.  There was some experimental code to stick embedded signatures
> into .deb files, but I don't know what it's status is and packages
> containing signatures aren't allowed in the archive last I heard.

Is there some way to get the system to re-read the release file?  I
installed the key after I upgradeed the system to etch, so all
packages on my DVDs show as being unverified.  I have tried to get it
to clear that, but nothing I have tried has worked.  I also noticed
recently that some packages show multiple entries in aptitude, so
possibly clearing the entries would clear that.

I am not the OP, but this looks like it relates to my problem.

-- 
Carl Johnson		carlj@peak.org



Reply to: