Previously Emiel Metselaar wrote: > Could anyone point me to some documentation about how this fits within > the 'usual' apt-get update apt-get install procedure.
The idea is: * packages are signed using debsig and get one (or more) embedded signatures * apt & friends don't look at the signature and will just see a normal package * dpkg will call debsig-verify to verify the signature and validate the package The last step is currently skipped since /etc/dpkg/dpkg.cfg includes the no-debsig option by default, otherwise debsig-verify would happily reject all current packages. Details on how debsig-verify verifies the signature (there is a whole bunch of criteria you can specify) should be in the debsigs or debsig-verify package. Wichert. -- _________________________________________________________________ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
