Hosting Provided By

Re: How to verify debian packages?

From: Marcin Owsiany <porridge(at)debian.org>
Date: Tue Nov 06 2007 - 11:55:18 EST

On Tue, Nov 06, 2007 at 06:04:40AM -0800, peterer wrote:
>
> When I manually download debian packages (from
> http://www.debian.org/distrib/packages), how can I verify that they have not
> been tampered with?

Individual packages are not signed, so you would basically need to manually repeat the process which APT uses for verifying package integrity:

calculate package's MD5 and SHA sums
look up the package in the Packages file, check they match, calculate the Packages(.gz) file's sums
look that one up in a Release file
verify Release file's signature: Release.gpg

You can find each of these files simply by browsing the archive tree.

-- 
Marcin Owsiany <
porridge(at)debian.org>             
http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Tue Nov 6 11:56:31 2007

This message: [ Message body ]
Next message: paddy(at)panici.net: "Re: perl regex vulnerability - debian - pcre only?"
Previous message: peterer: "How to verify debian packages?"
In reply to: peterer: "How to verify debian packages?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:54:16 EDT