Re: apt gpg keys/signatures
Ritesh Raj Sarraf <rrs@researchut.com> writes:
> Hi Goswin,
>
> Thanks for responding.
>
> On Monday 05 Oct 2009 14:52:19 Goswin von Brederlow wrote:
>> Are you using "apt_get --no-download update"? Afaik that only checks
>> if the *.gpg file is present but does not verify its contents. So no
>> way that should compain about signature errors.
>>
>
> No. With apt-offline (https://alioth.debian.org/projects/apt-offline/), I try to
> get the data required by apt from a different machine (which could be
> windows/linux/mac). Then I take the data back and sync it to the machine with
> no network. After the sync, the expectation is that the sync should be clean
> and transparent making apt assume that _it_ actually downloaded the data.
> Whereas in reality, it doesn't even have a network connection.
>
> BTW, I finished the gpg integration aka apt/secure. The beauty of Free Software
> is that even if there is no doc, you can go ahead and look at the sources.
>
> What apt does is that it downloads the update data to
> /var/lib/apt/lists/partial along with the Release and Release.gpg file. The
> Release file is the main file that lists down the checksum of all other files in
> it. The Release file is what is GPG signed. Once apt verifies that the Release
> file is GPG clean, it moves the relevant data file to /var/lib/apt/lists/.
>
> This is the same thing I have done now.
Which is what I said. You just put the files into /var/lib/apt/lists/
under the right name and apt assumes they check out. It doesn't
actualy verify them any more once they passed the initial verify and
left /partial/.
Then, to get apt to parse the files you placed there you run
apt_get --no-download update
That should blindly accept the files as trusted.
> PS: I hope my understanding of apt/secure is correct.
MfG
Goswin
Reply to: