On Tue, Sep 20, 2022 at 07:27:33PM +0100, Tim Woodall wrote: > On Tue, 20 Sep 2022, Hans wrote: > > > Hi Tim, > > > > I am not sure, you are correct. But please correct me! > > > apt does this for you. There are a set of gpg public keys in > > > /etc/apt/trusted.gpg.d. > > > > > > > Yes, apt is trusting the whole server, so it verifies, that a server who > > claims to be repo.debian.org is the real one, nothing else. > > > No, apt is verifying the release file was signed by a key that it has > the matching public key for.
Exactly: your "root of trust" is the installer you got from somewhere. So if it's important to you, you will double-check that one. Cheers -- t
signature.asc
Description: PGP signature