Re: How to verify debian packages?


How to verify debian packages?
\ peterer (6 Nov 2007)
. \ Marcin Owsiany (6 Nov 2007)

1 msg	Flavien CIBRARIO est absent(e).
1 msg	Re: [SECURITY] [DSA 1396-1] New iceweasel packa...
5 msg	chrooting rssh problem
1 msg	Rendez votre site populaire
3 msg	full drive encryption - check /boot for manipul...
8 msg	Firewall with woody
1 msg	Our foregoers the mere words a.
2 msg	Re: [SECURITY] [DSA 1379-2] New openssl package...
2 msg	Re: [SECURITY] [DSA 1381-1] New Linux 2.6.18 pa...
4 msg	debsums: no md5sums for a lot of important pack...
4 msg	CUPS and network interfaces
1 msg	[Info] 3 cartouches jet d'encre pour le prix de...
3 msg	Cambio de responsables
2 msg	Re: [SECURITY] [DSA 1379-1] New quagga packages...
1 msg	(No Subject)
1 msg	Эффективно
1 msg	armful westinghouse westinghouse;
1 msg	I was looking for you
1 msg	No need to tighten your purse strings

Subject:	Re: How to verify debian packages?
Group:	Debian-security
From:	Marcin Owsiany
Date:	6 Nov 2007

On Tue, Nov 06, 2007 at 06:04:40AM -0800, peterer wrote:
>
> When I manually download debian packages (from
> http://www.debian.org/distrib/packages), how can I verify that they have not
> been tampered with?

Individual packages are not signed, so you would basically need to
manually repeat the process which APT uses for verifying package
integrity:
- calculate package's MD5 and SHA sums
- look up the package in the Packages file, check they match, calculate
the Packages(.gz) file's sums
- look that one up in a Release file
- verify Release file's signature: Release.gpg

You can find each of these files simply by browsing the archive tree.

--
Marcin Owsiany <porridge> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216

--
To UNSUBSCRIBE, email to debian-security-REQUEST
with a subject of "unsubscribe". Trouble? Contact listmaster