On Thu, 21 Sep 2000, Alfredo Kengi Kojima wrote: > I'm working on adding support for digital signature verification in apt, > to allow authentication of the source of downloaded packages. Since we > (Conectiva) intend to work extensively with mirror sites, that's an > important feature.
Hm, you'd be alot better off to just sign your index file and check that on Update. Since that file already has hashes of the other files you get your checking for free. Debian will be implementing this at some point I suspect. > The modifications I'm making is to add a companion file to sources.list, > named vendors.list. That file will contain a list of vendors the user > trusts and public key IDs for them. Each of the repositories listed in This sounds reasonable even if you do the above. > The vendors.list file, will contain: > cncbr "Conectiva S.A. <[EMAIL PROTECTED]>" gpg:1024D/99807190 This isn't so good. For OpenPGP and PGP2.x keys you need to store the fingerprint and length. You've got the key id, the misnomer 'gpg' algorithm and length. I'd just go with something like: jgg 64BE1319CCF6D393BF87FF9358A6D4EE 1024 "Jason Gunthorpe <[EMAIL PROTECTED]> This is alot better. You'll need some way to manage key rings as well. There is also another issue to do with age - signing package files tends to kill that issue. Someone could construct a 'worst of' distribution that contains all sorts of packages you have released, but later created security fixes for. This is a serious problem with only checking signatures of .rpms. The ultimate scheme that I have idly been thinking about is that each 'base' url (http://ftp.debian.org/debian.org) would have a signed index file that contains a list of all Release, Source, Source.gz, Packages, Packages.gz and their sizes. The acquire bit would grab that file first and then check the others as it downloads. Since this fuses the Packages+Source+Release into a single signature it is almost impossible to create a 'worst of' without it being plainly evident to the user. Update will have to show the release information too, but thats not a big deal. There is also the nice advantage that you can create accurate progress meters for the index files too :> It also has minimal overhead which is nice too. Jason
