On Fri, Jan 04, 2008 at 11:15:35AM +0000, Keyser S?ze wrote: > Hi > > I'd like to know whether it's possible to check the signature of a Debian > (Etch) install CD, at the earliest stage of the install process. > Indeed, right after the base-installer unpacks the base system files, apt > loads the contents of the CD and checks the Release.gpg signature against the > Release file. > Two problems, however: > - apt will complain if the signature is wrong, but won't if the Release.gpg > file is not even present on the CD; > - this procedure excludes the udebs loaded by debian-installer > > So, is there a way to secure the whole install process (I mean, besides > manual checking)? I noticed that gpgv is among the default udebs, what is it > used for?
Perhaps I don't understand "manual checking". Would you be satisfied by checking a signature of a checksum of the CD against a public key that you trust ? http://www.debian.org/CD/faq/#verify Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
