Hi Jason, I'm working on adding support for digital signature verification in apt, to allow authentication of the source of downloaded packages. Since we (Conectiva) intend to work extensively with mirror sites, that's an important feature.
The modifications I'm making is to add a companion file to sources.list, named vendors.list. That file will contain a list of vendors the user trusts and public key IDs for them. Each of the repositories listed in sources.list, may have an extra field (enclosed with [] after the distribution type), that tells which real source that site corresponds to. So, if I have a mirror of Conectiva at blabla.com, the sources.list entry for it would look like: rpm [cncbr] ftp://blabla.com/etc other usual info comes here where [cncbr] is a string that identifies a package vendor. That identifier would be optional and in such case, digital signature authentication would not be done. The vendors.list file, will contain: cncbr "Conectiva S.A. <[EMAIL PROTECTED]>" gpg:1024D/99807190 which are the vendor identifier, the information about the vendor and a list of public key types (gpg or pgp) and IDs for it. Having that information, the code in acquire-item.cc would request the just downloaded file to have it's signature checked and see if it really comes from cncbr, issuing a warning and aborting the process if it fails. The actual checking of the package signatures is done by rpmlib, in my case. Debian packages would probably be checked by Debian specific classes. Does that sound ok for you? I still haven't checked in these changed into my cvs, but should be doing that soon, maybe tomorrow. -- Alfredo
