Hi Samuli > Actually apt/dpkg handles signature validation automatically. I believe this > is how it works: > > <https://help.ubuntu.com/community/SecureApt> > <https://wiki.debian.org/SecureApt>
Yes, the procedure that you described in your reply assumes that my machine is connected to the internet. But what happens when I do not have internet access at the point of installing OpenVPN? > If you download packages from the repo manually, the above validation is of > course not done automatically. You can do it > yourself, though, with standard tools (gpg, sha256sum, etc.). Below is the result of doing a manual verification of openvpn_2.3.10-debian0_amd64.deb using gpg: gpg --verify openvpn_2.3.10-debian0_amd64.deb gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line. That is why I had requested you to upload the corresponding *.asc files. > This will require a bit of effort from your part, but downloading packages > manually is not a very common use case. Very true but there is a use case in which I need to download openvpn_2.3.10-debian0_amd64.deb manually and install it on my machine using sudo dpkg -i <packagename> > The fact that apt repos are accessed via HTTPS gives further confidence in > the origin of the packages. Yes, I agree with you on that point but there is an instance in which I need to install openvpn_2.3.10-debian0_amd64.deb manually using dpkg before I allow my machine to connect to the internet. I have noticed the offline packages: openvpn_2.3.10-debian0_amd64.deb openvpn_2.3.10-debian0_i386.deb are accessible via an unencrypted webpage. Is there a reason for it? Best regards. Sebastian R. ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
