Hosting Provided By

Re: backports

From: Chris Lale <chrislale(at)untrammelled.co.uk>
Date: Wed Jun 27 2007 - 12:27:15 EDT

Florian Kulzer wrote:
> On Sun, Jun 24, 2007 at 08:54:05 +0100, Chris Lale wrote:

>> Florian Kulzer wrote:
>> [...]
>>> An even better approach would be to download the Backports.org Archive
>>> Key manually and to check the signature before adding the new key to
>>> apt's keyring. (Installing the debian-backports-keyring package directly
>>> means that an unverified post-installation script has root on your
>>> computer, therefore you cannot really trust anything after that,
>>> including the keys on the Debian keyring.)
>>>
>>> P.S. The same goes for the debian-multimedia-keyring package.
>>>
>> Yes, Florian, you must be right! I wonder why they offer the keyring package?

>
> The keyring package allows automatic installation of new signing keys,
> just like debian-archive-keyring for the normal Debian pool. This is
> safe - or at least as "safe" as your basic trust in Debian is - provided
> that you perform the initial check. From the on, each new key can be
> verified (automatically) with the old key during a transition period and
> the chain of trust remains intact. (I don't know how often they will
> issue a new key for the backports archive, though; the normal Debian
> archive keys get updated at least once a year.)
>

>> The instructions page does give instructions about how to install the key -
>> and no mention of the debian-backports-keyring package:
>>
>> 	... you can import backports.org archive’s key into apt:
>>
>> 	gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
>> 	gpg --export | apt-key add -
>>
>> 	or
>>
>> 	wget -O - 
http://backports.org/debian/archive.key | apt-key add -
>>
>> No mention of how to check it though. Can you check the sig before installing
>> the key?

>
> Yes, you can: Just run the "gpg ... --recv-keys ..." command as your
> normal user and the new key will be added (as untrusted) to your normal
> user's public keyring. Then you can perform the check:
>
> $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 16BA136C
>
> and make sure that Joerg Jaspert's signature (key 7E7B8AC9) is valid.
> After that you can feed the key to apt
>
> $ gpg -a --export 16BA136C | sudo apt-key add -
>
> and you are all set. If you do not want to use sudo then you can export
> the key to a file before you become root:
>
> $ gpg -a --export 16BA136C > backports-archive-key.txt
> # apt-key add backports-archive-key.txt
>
> If you have problems with the keyserver then you can use the wget
> command to add the key to your public keyring:
>
> $ wget -O - http://backports.org/debian/archive.key | gpg --import -
>
> Then you can perform the same check before you tell apt to trust the
> key. I would avoid running anything as root except for the apt-key
> command.
>

How to you check the output of "gpg --check-sigs"? I Googled a bit and it seems that an exclamation mark ("!") indicates a successful check. Is that true? eg
$ gpg --check-sigs --keyring /usr/share/keyrings/debian-backports-keyring.gpg

/usr/share/keyrings/debian-backports-keyring.gpg

pub 1024D/16BA136C 2005-08-21

uid                  Backports.org Archive Key 
sig!3        16BA136C 2005-08-21  Backports.org Archive Key

sig!3        16BA136C 2005-08-21  Backports.org Archive Key

<ftp-master@backports.org>
sub 2048g/5B82CECE 2005-08-21
sig! 16BA136C 2005-08-21 Backports.org Archive Key <ftp-master@backports.org>

I wanted to find a generic method of importing and checking keys for a number of unofficial deb sites. It is difficult to find the key ids on some of the websites. One thing they all had in common was having a keyring package. I tried backports.org, debian-multimedia.org and debian-unofficial.org. So, here is my generic method:

Add the appropriate line to /etc/apt/sources.list.
Update with apt-get or aptitude.
Install the appropriate keyring package (eg debian-multimedia-keyring). The keyrings all end up in /etc/share/keyrings/${package-name}.gpg
Check the signatures IMMEDIATELY eg $ gpg --check-sigs --keyring /usr/share/keyrings/debian-multimedia-keyring.gpg
If the check fails,

a.purge the keyring package and check that the keyring subdirectory has been removed from /etc/share/keyrings/.

b. You can still install packages from the suspect repository, but there will be a warning. To be safe, remove the repository line from /etc/apt/sources.list.

-- 
Chris.


-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Wed Jun 27 12:28:01 2007

This message: [ Message body ]
Next message: Orestes leal: "The Perfect Linux gaming Box"
Previous message: Orestes leal: "Re: NTFS-3G Under 4.0"
In reply to: Florian Kulzer: "Re: backports"
Next in thread: Florian Kulzer: "Re: backports"
Reply: Florian Kulzer: "Re: backports"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Jun 27 2007 - 12:30:02 EDT