On Sun, 2008-06-22 at 22:39 +0200, Patrick Schoenfeld wrote: > On Sun, Jun 22, 2008 at 09:37:46PM +0200, Goswin von Brederlow wrote: > > PS: I would prefer if apt-get could fetch and verify keyring updates > > directly from a repository though. Keyring packages are awfull for key > > rollovers. > > Do you mean from a central repository, somewhat like a keyserver? :-) > How would one check integrity then?
Precisely as you do with any key - signatures and gpg integrity checks when the key is imported into apt-key. The repository would simply provide the ASCII armoured GPG key file that would be signed by keys belonging to relevant people - in that respect, it's not that different to any package. The text file is useless without being imported into gpg so the integrity checks in gpg provide the integrity check. -- Neil Williams <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
