On Sun, 13 Dec 2009, Jason Self wrote:
You do use the public key to verify that the authenticity of the
software being downloaded, but someone else's public key cannot be used
to verify the signature done with a different secret key... you need to
use the public key that corresponds to the secret key used to do the
actual signing.
IIRC PGP is used to sign the release files (*) and the MD5 checksums of
the individual packages are kept there and used by APT. The goals are to
ensure authenticity and integrity of the packages. Currently generating
MD5 collisions (**) may or may not be feasible, but it probably could be
done in a reasonable amount of time with distributed processing.
One of the other digest algorithms might be safer nowadays, such as
SHA256, for a while, if it doesn't slow things down too much.
... if the public key were put on the wiki ...
The wiki migt be too ephemeral. Somewhere harder to change might be good.
There are some keys listed on this page:
http://www.gnewsense.org/Main/FixExpiredArchiveKey
Or the FAQ might be a place for the metad key:
http://www.gnewsense.org/index.php?n=FAQ.FAQ
/Lars
* http://wiki.debian.org/SecureApt
** http://www.schneier.com/blog/archives/2005/06/more_md5_collis.html
_______________________________________________
gNewSense-users mailing list
gNewSense-users@nongnu.org
http://lists.nongnu.org/mailman/listinfo/gnewsense-users
