On Mon, Sep 24, 2007 at 05:37:51AM +0000, Felix Karpfen <[EMAIL PROTECTED]> was heard to say: > >> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to > >> authenticate the individual installed packages. > > > > Oh, dpkg automatically checks it for you when you use apt-get/aptitude > > to install package. (Unless you disable it.) > > So is the answer to my question: > > "use aptitude and not Synaptic" for installing packages?
It shouldn't matter which frontend you use. All the major frontends check the signature of the Release file when you download package lists from the archive. The Release file contains a cryptographic checksum for the Packages file, which contains checksums for each individual .deb package. dpkg performs no key checking, at least on packages in the Debian archive. There was some experimental code to stick embedded signatures into .deb files, but I don't know what it's status is and packages containing signatures aren't allowed in the archive last I heard. Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
