On Sun, Jun 24, 2007 at 08:54:05 +0100, Chris Lale wrote: > Florian Kulzer wrote: > [...] > > > > An even better approach would be to download the Backports.org Archive > > Key manually and to check the signature before adding the new key to > > apt's keyring. (Installing the debian-backports-keyring package directly > > means that an unverified post-installation script has root on your > > computer, therefore you cannot really trust anything after that, > > including the keys on the Debian keyring.) > > > > P.S. The same goes for the debian-multimedia-keyring package. > > > > Yes, Florian, you must be right! I wonder why they offer the keyring package?
The keyring package allows automatic installation of new signing keys, just like debian-archive-keyring for the normal Debian pool. This is safe - or at least as "safe" as your basic trust in Debian is - provided that you perform the initial check. From the on, each new key can be verified (automatically) with the old key during a transition period and the chain of trust remains intact. (I don't know how often they will issue a new key for the backports archive, though; the normal Debian archive keys get updated at least once a year.) > The instructions page does give instructions about how to install the key - > and no mention of the debian-backports-keyring package: > > ... you can import backports.org archive’s key into apt: > > gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C > gpg --export | apt-key add - > > or > > wget -O - http://backports.org/debian/archive.key | apt-key add - > > No mention of how to check it though. Can you check the sig before installing > the key? Yes, you can: Just run the "gpg ... --recv-keys ..." command as your normal user and the new key will be added (as untrusted) to your normal user's public keyring. Then you can perform the check: $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 16BA136C and make sure that Joerg Jaspert's signature (key 7E7B8AC9) is valid. After that you can feed the key to apt $ gpg -a --export 16BA136C | sudo apt-key add - and you are all set. If you do not want to use sudo then you can export the key to a file before you become root: $ gpg -a --export 16BA136C > backports-archive-key.txt # apt-key add backports-archive-key.txt If you have problems with the keyserver then you can use the wget command to add the key to your public keyring: $ wget -O - http://backports.org/debian/archive.key | gpg --import - Then you can perform the same check before you tell apt to trust the key. I would avoid running anything as root except for the apt-key command. -- Regards, | http://users.icfo.es/Florian.Kulzer Florian |
