Conectiva currently has support for signed _repositories_, as well as signed RPM packages. Check out their /etc/apt/sources.list for more info on it.
The code may be portable to Debian, as their APT is based directly off of Debian's way of doing things. http://distro.conectiva.com/projetos/42/ Perhaps this is nothing new, just thought I'd throw it out there. On Thu, 2001-12-13 at 09:24, Wichert Akkerman wrote: > Previously jereme wrote: > > Can/is the checking of these signatures, (and fetching the appropriate > > developer keys) integrated into apt-get? What am I missing? > > Apt works at a different level: it deals with download packages and > archives, so it will not verify the signature that is embedded in > a deb package. > > There is a seperate plan for verifying signatures using apt. From > memory this goes as follows: > > * deb packages are installed in the archive > * the MD5 checksum for each package is listed in the Packages file > * the MD5 checksum for each Packages file for a release is listed in > the Release file > * the archive creates a signature for the Release file that apt can > verify > > So by following the chain of MD5 sums apt should be able to verify > that a package originates from a a specific release. This is less > flexible then debsigs since it does not work on a per-package basis > but by combining them you have a very powerful system. > > Wichert. > > -- > _________________________________________________________________ > /[EMAIL PROTECTED] This space intentionally left occupied \ > | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | > | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Blake Barnett (bdb) <[EMAIL PROTECTED]> Sr. Unix Administrator DevelopOnline.com office: 480-377-6816 "Do, or do not. There is no try." --Yoda
