Previously jereme wrote: > Can/is the checking of these signatures, (and fetching the appropriate > developer keys) integrated into apt-get? What am I missing?
Apt works at a different level: it deals with download packages and archives, so it will not verify the signature that is embedded in a deb package. There is a seperate plan for verifying signatures using apt. From memory this goes as follows: * deb packages are installed in the archive * the MD5 checksum for each package is listed in the Packages file * the MD5 checksum for each Packages file for a release is listed in the Release file * the archive creates a signature for the Release file that apt can verify So by following the chain of MD5 sums apt should be able to verify that a package originates from a a specific release. This is less flexible then debsigs since it does not work on a per-package basis but by combining them you have a very powerful system. Wichert. -- _________________________________________________________________ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
