On Tue, Sep 20, 2022 at 06:40:01PM +0200, Hans wrote: > Hi Tim, > > I am not sure, you are correct. But please correct me! > > apt does this for you. There are a set of gpg public keys in > > /etc/apt/trusted.gpg.d. > > > > Yes, apt is trusting the whole server, so it verifies, that a server who > claims to be repo.debian.org is the real one, nothing else.
Here's how it works: https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html The short story is: you have to trust your initial installation media. It has the necessary public keys to check the signatures of what it pulls in. The installation media checksums are published, so /if/ you are seeing what others are, chances are good that the published checksums are fine. If some Evil Instance is controlling your whole internet, well... your installation media will be already compromised. Cheers -- t
signature.asc
Description: PGP signature