> > > This all sounds pretty promising! Thank you, Noah! Do you happen to > know > > how to access this metadata? I'd love to be able to look at it and > > understand it better. > > See the signed InRelease files in /var/lib/apt/lists >
Ah! I see some files here that are relevant to my search. Thanks! For instance, on my system, I see a mirrors.linode.com_debian_dists_buster_main_binary-amd64_Packages file that contains a single SHA256 and a single MD5sum hash for each amd64 package. I could see how that sort of information could be used to verify, on the fly, the packages that arrive here. > You should read > > https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html > > Thanks! I will do so!
