I had recently a discussion regarding Debian package signing and automaticly downloading & checking packages signatures (i.e. using debsig-verify)
However, I see now that the default /etc/dpkg/dpkg.conf ships with "no-debsig" by default and users are not currently (correct me if it does) checking signatures in any way. Since developer's signatures cannot be used (they get stripped of after uploading and using them would require to have the keyring always uptodate) is there any way we can provide package signing. What does debsig currently do (if anything)? In a discussion between some Debian developers, regarding how a package signing scheme could work in Debian, we came out with the following (due to the problem of the updated keyring above) 1.- Packages.gz which contains the md5sums of packages is signed (we already do this, but through the Release file which includes the md5sums of many files, including Packages.gz but is not that direct). The signature is one that is permanently on the keyring and has been for some time, it could be that of a person in Debian (developer for quite some time, Project Leader, you name it) or of a group (QA?) 2.- This signed Packages.gz is downloaded by 'apt-get update' and stored in the HD along with Packages.gz 3.- When a package is going to be installed, it is first downloaded and generated the md5sum 4.- The Packages.gz.gpg is checked (signature ok) and it extracts from it the md5sum for the downloaded package (this avoids tampering of files in the local system) 5.- if we have the same md5sum install otherwise warn and leave in cache (so the user can install w/o signatures). If the package is not in the Packages.gz and the user wants signatures warn and do not install either. Does this scheme seem possible? How far is it from what debsig-verify intends to do? (I would appreciate here since this is an issue I would like to document clearly, including a roadmap in the "Securing Debian Manual") Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]