How to verify debian packages?

[peterer]

Hello,

When I manually download debian packages (from
http://www.debian.org/distrib/packages), how can I verify that they have not
been tampered with?

I cannot use apt since these packages I need are not available in my
(ubuntu) repository.

Regards,
Lotharster
-- 
View this message in context: 
http://www.nabble.com/How-to-verify-debian-packages--tf4758279.html#a13607247
Sent from the Debian Security mailing list archive at Nabble.com.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: How to verify debian packages?

[Marcin Owsiany]

On Tue, Nov 06, 2007 at 06:04:40AM -0800, peterer wrote:
 
 When I manually download debian packages (from
 http://www.debian.org/distrib/packages), how can I verify that they have not
 been tampered with?

Individual packages are not signed, so you would basically need to
manually repeat the process which APT uses for verifying package
integrity:
 - calculate package's MD5 and SHA sums
 - look up the package in the Packages file, check they match, calculate
   the Packages(.gz) file's sums
 - look that one up in a Release file
 - verify Release file's signature: Release.gpg

You can find each of these files simply by browsing the archive tree.

-- 
Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]