Re: backports

On Sat, Jun 23, 2007 at 17:28:19 +0100, Chris Lale wrote:
> Bob Proulx wrote:

[...]

> > In backports-users Alexander Wirt wrote:
> >> I have uploaded the bpo keyring to the archive which makes it
> >> possible to add the bpo archive signing key via apt-get install
> >> debian-backports-keyring to you apt keyring. I hope I haven't missed
> >> anything but please test it.
> >
> > apt-cache show debian-backports-keyring
> >
> > Description: GnuPG archive key of the backports.org repository
> > The backports repository digitally signs its Release files. This package
> > contains the repository key used for that.
> >
>
> Thanks Bob! You learn something new every day. :)
>
> I might add that this package comes from the debian-backports repository itself,
> so you need to add the repository to /etc/apt/sources.list, "aptitude update",
> ignore the GPG error and "aptitude install debian-backports-keyring" to avoid
> GPG errors in future.

After installing the debian-backports-keyring package I would at least check the signatures of the new key, like this:

$ cd /usr/share/keyrings/
$ gpg --no-default-keyring --keyring ./debian-backports-keyring.gpg --keyring ./debian-keyring.gpg --check-sig "Backports.org Archive Key" pub 1024D/16BA136C 2005-08-21

uid                  Backports.org Archive Key
sig!         7E7B8AC9 2005-11-20  Joerg Jaspert
sig!3        16BA136C 2005-08-21  Backports.org Archive Key
sig!3        16BA136C 2005-08-21  Backports.org Archive Key
sub   2048g/5B82CECE 2005-08-21
sig!         16BA136C 2005-08-21  Backports.org Archive Key

1 signature not checked due to a missing key

(I have removed all email addresses from the output of the gpg command.)

Then you know at least that the new key has been signed by Joerg Jaspert and you checked his signature using his public key from the debian-keyring package. (The second signature cannot be checked because that key is not part of the Debian keyring.)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

An even better approach would be to download the Backports.org Archive Key manually and to check the signature before adding the new key to apt's keyring. (Installing the debian-backports-keyring package directly means that an unverified post-installation script has root on your computer, therefore you cannot really trust anything after that, including the keys on the Debian keyring.)

P.S. The same goes for the debian-multimedia-keyring package.

-- 
Regards,            | 
http://users.icfo.es/Florian.Kulzer
          Florian   |


-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org