signatures for debs installed manually
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
signatures for debs installed manually
by celejar
::
Rate this Message:
Hi,
Someone, such as a Debian maintainer, will occasionally request that users test a package that he has built, but is not yet available in the repositories, e.g.: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513993#52 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513993#60 Is there any way of ensuring making the package is legitimate? IIUC, since I'm not going through the repos with the apt tools, there's no checking of signatures. I suppose that I can trust the developer, and verify that the email notification is legitimate by checking his pgp signature, but how can I be sure that the package I download is the one he uploaded? This is largely an academic question, since in the real world, this is probably secure enough for my needs, but I'd like to know if there's a Right Way to do this. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@... |
|
|
|
|
|
Re: signatures for debs installed manually
by Goswin von Brederlow-2
::
Rate this Message:
Celejar <celejar@...> writes:
> On Tue, 8 Sep 2009 12:01:09 +1000 > Morgan Storey <me@...> wrote: > >> Hi Celejar, >> >> You can get him to PGP/GPG sign the package, then just verify it with >> his public key, or simply mdsum and sha1sum the package. There are MD5 >> collisions so someone could make a package of the same size with the >> same md5 hash that contains different malicious code but for your >> needs it should be enough. >> Obviously the safest out of all of these is the PGP/GPG but the MD5 >> and sha1 are easier to implement. In this case below I don't know the >> procedures but the developer will probably have a GPG key that he can >> sign the package with, then just get his public key of a key server >> and verify. > > Thanks. I know that there are ways to do this, but I was wondering if > the developer needs to be asked in each case, or if there's some sort > of standard procedure that is followed. > > Celejar There is a tool for this called dpkg-sig. But signed debs are not accepted by the Debian archive so that is rarely used. Maybe a better alternative would be to just create an apt repository. Last, and most work for you, you can fetch the source, assuming the dsc file is signed, and build your own package. MfG Goswin -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@... |
|
|
Re: signatures for debs installed manually
by celejar
::
Rate this Message:
On Wed, 16 Sep 2009 09:25:45 +0200
Goswin von Brederlow <goswin-v-b@...> wrote: ... > There is a tool for this called dpkg-sig. But signed debs are not > accepted by the Debian archive so that is rarely used. > > Maybe a better alternative would be to just create an apt repository. > > Last, and most work for you, you can fetch the source, assuming the > dsc file is signed, and build your own package. Thanks for the information. The package in question actually made it into the repo shortly after I began this thread, but this is good to know for the next time this happens. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@... |
| Free embeddable forum powered by Nabble | Forum Help |
