On Tue, Nov 06, 2007 at 06:04:40AM -0800, peterer wrote: > > When I manually download debian packages (from > http://www.debian.org/distrib/packages), how can I verify that they have not > been tampered with?
Individual packages are not signed, so you would basically need to manually repeat the process which APT uses for verifying package integrity: - calculate package's MD5 and SHA sums - look up the package in the Packages file, check they match, calculate the Packages(.gz) file's sums - look that one up in a Release file - verify Release file's signature: Release.gpg You can find each of these files simply by browsing the archive tree. -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
