On Fri, Oct 19, 2012 at 12:28:36PM +0300, Lars Nooden wrote: > Hi, > > Where can I find an uptodate description of exactly how PGP is used by APT > in packaging? I can't find the source any more but I got the impression > that the individual packages were not signed but merely checksummed and > that the list of checksums was the only thing that was actually signed. > What is the real situation?
That is true. As described here[1], the package checksums are stores in the "Packages" file, the checksums for the "Packages" file are stored in the "Release" file and the release file is GPG signed. So you have a chain of fidelity from Releases to the package and a chain of trust from yourself to the Releases. [1] http://wiki.debian.org/SecureApt > > Regards, > /Lars > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: > http://lists.debian.org/alpine.bso.2.02.1210191228260.11...@yeeloong.dhcp.inet.fi >
signature.asc
Description: Digital signature
