On Sun, Apr 6, 2008, Bernd Eckenfels <[EMAIL PROTECTED]> wrote: > > It should be possible to verify the package on install time. (Especially > when not using apt-get). > > Not sure if debsig-verify can work in that environment.
debsig-verify is not applicable in my case. It implements a different checking scheme from apt-secure with a different chain of trust. debsig-verify can check the signature of the individual who prepared a package, while apt-secure verifies the signature of archive maintainers which applies to all packages. debsig-verify cannot verify the archive maintainers' signature (Release.gpg). I trust the archive maintainers and have a secure way to get a copy of their public key. I don't trust individual developers and cannot have all of their keys securely distributed to me. As far as I know, debsig-verify is not currently in use neither by Debian nor by Ubuntu, and many packages lack a signature. Securing Debian Manual (section 7.4.5) even says that signatures from developers are stripped when the packages enter the archive because the preferred method of verification is secure apt. -- Alexander -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]