Hi Goswin, Thanks for responding. On Monday 05 Oct 2009 14:52:19 Goswin von Brederlow wrote: > Are you using "apt_get --no-download update"? Afaik that only checks > if the *.gpg file is present but does not verify its contents. So no > way that should compain about signature errors. > No. With apt-offline (https://alioth.debian.org/projects/apt-offline/), I try to get the data required by apt from a different machine (which could be windows/linux/mac). Then I take the data back and sync it to the machine with no network. After the sync, the expectation is that the sync should be clean and transparent making apt assume that _it_ actually downloaded the data. Whereas in reality, it doesn't even have a network connection. BTW, I finished the gpg integration aka apt/secure. The beauty of Free Software is that even if there is no doc, you can go ahead and look at the sources. What apt does is that it downloads the update data to /var/lib/apt/lists/partial along with the Release and Release.gpg file. The Release file is the main file that lists down the checksum of all other files in it. The Release file is what is GPG signed. Once apt verifies that the Release file is GPG clean, it moves the relevant data file to /var/lib/apt/lists/. This is the same thing I have done now. PS: I hope my understanding of apt/secure is correct. Regards, Ritesh -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com "Necessity is the mother of invention."
Attachment:
signature.asc
Description: This is a digitally signed message part.