Quoting Marcel Weber ([EMAIL PROTECTED]): > A. Do I have to do something to activate this feature, besides of > installing debsigxxx? For example setting a flag in a config file. The > dpkg and dselect man pages do not say anything about the signature > verification (as for 1.9.21 on woody).
I noticed this, too. It's unfortunate. I'm not the right guy to answer your questions, but I've at least seen discussion of this matter before, and am trying to look up details while writing this. The matter was argued at length on the debian-dpkg list, starting here: http://lists.debian.org/debian-dpkg/2001/debian-dpkg-200103/msg00024.html All you have to do is install debsig-verify. If the latter is present, dpkg will automatically check the signature of any package to be installed, and die if verification fails (except where overridden using a "--force-bad-verify" switch, or possibly --no-debsig, which you'll want to check). I notice from browsing through the above-referenced thread a distinction between release signatures (picked up when using apt) and deb signatures. Different mechanisms. The dpkg patch under discussion checks the latter. In invoking debsig-verify, dpkg can follow a local policy file, which I gather specifies which keyring of signatures are considered authoritative. I would guess that the debian-keyring package's files (/usr/share/keyrings/debian-keyring.gpg, /usr/share/keyrings/debian-keyring.pgp) are in the format required. Above summary is guaranteed to be shallow: Browsing the debian-dpkg thread suggests that issues abound, and that (no surprise) careful thinking about process and threat models is needed. -- Cheers, There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
