Hi Sebastian, > Hi Samuli, > > Firstly, a belated Happy New Year to you. > > Secondly, thanks for rushing out version 2.3.10 for the benefit of users. > > Thirdly, I would appreciate it if you could upload the corresponding *.asc > files of the following *.deb files in > http://swupdate.openvpn.net/apt/pool/jessie/main/o/openvpn/ > > openvpn_2.3.10-debian0_amd64.deb > openvpn_2.3.10-debian0_i386.deb > > Without the said *.asc files, there is no guarantee that they are the > official packages made by you.
Actually apt/dpkg handles signature validation automatically. I believe this is how it works: <https://help.ubuntu.com/community/SecureApt> <https://wiki.debian.org/SecureApt> While that packages themselves are not validated, the Release file is signed, its signature being stored in Release.gpg. When apt is installing a package, it gets the Release file from the repo, checks that the file is untampered and load the cryptographic hashes for the actual package files from it. If the hashes in the Release file do not match the hashes of the actual packages, apt will complain loudly. If you download packages from the repo manually, the above validation is of course not done automatically. You can do it yourself, though, with standard tools (gpg, sha256sum, etc.). This will require a bit of effort from your part, but downloading packages manually is not a very common use case. The fact that apt repos are accessed via HTTPS gives further confidence in the origin of the packages. > For your information I've downloaded your keyfile (is that the proper name?) > from one of the public keyservers. It ends with 198d22a3 That particular key is my main GnuPG key. I have a separate key for use with apt repositories. The idea is/was that the apt signing key could potentially be used by people other than me. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
