Hi, > Below is the result of doing a manual verification of > openvpn_2.3.10-debian0_amd64.deb using gpg: > > gpg --verify openvpn_2.3.10-debian0_amd64.deb > gpg: no valid OpenPGP data found. > gpg: the signature could not be verified. > Please remember that the signature file (.sig or .asc) should be the first > file given on the command line.
As said, the packages themselves do not contain the signature. You need to verify the Release file's signature, and then check whether the hashes in the Release file match the hashes of the packages. Moreover, the key you apparently used was my personal key, not the apt signing key. The apt signing key is not available on any keyservers, only on our webserver. > Very true but there is a use case in which I need to download > openvpn_2.3.10-debian0_amd64.deb manually and install it on my machine using > sudo dpkg -i <packagename> You might want to consider setting up a local apt proxy for these cases. I use apt-cacher-ng[1] which tends to work fine: <https://www.unix-ag.uni-kl.de/~bloch/acng/> If the computers you're setting up are truly offline, then I suggest downloading the OpenVPN packages with a computer that has Internet access using apt-get: $ apt-get update $ apt-get -d install openvpn This means apt-get will download the package and verify its signature, but _not_ install it. Then copy the package from /var/cache/apt/archives/openvpn-<something>.deb to a USB stick or similar. At this point you can use sha256sum or similar to calculate the hash for the package. You can also check the Release file and ensure the hashes match, but that is most likely an overkill. Then you just install the package from the USB stick to the computer with no Internet access with confidence. A paranoid person can verify the sha256 sum before installing the package. > I have noticed the offline packages: > > openvpn_2.3.10-debian0_amd64.deb > openvpn_2.3.10-debian0_i386.deb > > are accessible via an unencrypted webpage. Is there a reason for it? The reason HTTP is enabled on that particular webserver is not related to the apt repository at all, but to some of the other content served from that server. You can and should use HTTPS URLs instead. Best regards, -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
