> Apt can/should handle things in a more complicated way; in particular if > it's downloading packages from Debian it should expect a Debian signature, > while downloading Blackdown Java or OpenOffice.org stuff should have a > signature from a Blackdown or OpenOffice.org key. > > Dpkg, OTOH, can't tell where a package is meant to have come from, so can > only do: > > a) Check the signature's valid, and report who signed it > b) Expect the user to tell it which keyring to use, and check that > the key's in that keyring (dpkg-source --from=debian -x *.dsc) > c) Check that the signature is from the "Maintainer:"
You really need the read the debsig-verify package signing docs. In fact, anything can tell with a good bit of security, just where a package came from. The signing policy handles this. Apt and/or dpkg simply call debsig-verify (note, the URL you download it from is not a security measure, especially considering lots of people have local mirrors, or hand-downloaded packages). -- Debian - http://www.debian.org/ Linux 1394 - http://linux1394.sourceforge.net/ Subversion - http://subversion.tigris.org/ Deqo - http://www.deqo.com/
