Re: Debian packages without md5sums
Daniel Burrows <dburrows@debian.org> writes:
> On Mon, Sep 24, 2007 at 05:37:51AM +0000, Felix Karpfen <felixk@webone.com.au> was heard to say:
> > >> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to
> > >> authenticate the individual installed packages.
> > >
> > > Oh, dpkg automatically checks it for you when you use apt-get/aptitude
> > > to install package. (Unless you disable it.)
> >
> > So is the answer to my question:
> >
> > "use aptitude and not Synaptic" for installing packages?
>
> It shouldn't matter which frontend you use. All the major frontends
> check the signature of the Release file when you download package lists
> from the archive. The Release file contains a cryptographic checksum
> for the Packages file, which contains checksums for each individual .deb
> package.
>
> dpkg performs no key checking, at least on packages in the Debian
> archive. There was some experimental code to stick embedded signatures
> into .deb files, but I don't know what it's status is and packages
> containing signatures aren't allowed in the archive last I heard.
Is there some way to get the system to re-read the release file? I
installed the key after I upgradeed the system to etch, so all
packages on my DVDs show as being unverified. I have tried to get it
to clear that, but nothing I have tried has worked. I also noticed
recently that some packages show multiple entries in aptitude, so
possibly clearing the entries would clear that.
I am not the OP, but this looks like it relates to my problem.
--
Carl Johnson carlj@peak.org
Reply to: