Daniel Burrows <[EMAIL PROTECTED]> writes: > On Mon, Sep 24, 2007 at 05:37:51AM +0000, Felix Karpfen <[EMAIL PROTECTED]> > was heard to say: > > >> But How do you use the key(s) listed in "/etc/apt/trusted.gpg" to > > >> authenticate the individual installed packages. > > > > > > Oh, dpkg automatically checks it for you when you use apt-get/aptitude > > > to install package. (Unless you disable it.) > > > > So is the answer to my question: > > > > "use aptitude and not Synaptic" for installing packages? > > It shouldn't matter which frontend you use. All the major frontends > check the signature of the Release file when you download package lists > from the archive. The Release file contains a cryptographic checksum > for the Packages file, which contains checksums for each individual .deb > package. > > dpkg performs no key checking, at least on packages in the Debian > archive. There was some experimental code to stick embedded signatures > into .deb files, but I don't know what it's status is and packages > containing signatures aren't allowed in the archive last I heard.
Is there some way to get the system to re-read the release file? I installed the key after I upgradeed the system to etch, so all packages on my DVDs show as being unverified. I have tried to get it to clear that, but nothing I have tried has worked. I also noticed recently that some packages show multiple entries in aptitude, so possibly clearing the entries would clear that. I am not the OP, but this looks like it relates to my problem. -- Carl Johnson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
