[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-security
Subject: Re: How to verify debian packages?
From: Marcin Owsiany <porridge () debian ! org>
Date: 2007-11-06 16:55:18
Message-ID: 20071106165517.GB17150 () beczulka
[Download RAW message or body]
On Tue, Nov 06, 2007 at 06:04:40AM -0800, peterer wrote:
>
> When I manually download debian packages (from
> http://www.debian.org/distrib/packages), how can I verify that they have not
> been tampered with?
Individual packages are not signed, so you would basically need to
manually repeat the process which APT uses for verifying package
integrity:
- calculate package's MD5 and SHA sums
- look up the package in the Packages file, check they match, calculate
the Packages(.gz) file's sums
- look that one up in a Release file
- verify Release file's signature: Release.gpg
You can find each of these files simply by browsing the archive tree.
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic