On Monday 19 March 2012 09:28 PM, Ritesh Raj Sarraf wrote: > Seems like Wheezy has silently does some changes in the way they handle > signing the update packages for the update files. I have it on my list > but unfortunately haven't had the time to look into it. > > Meanwhile, the workaround it to use the --allow-unauthenticated option > in the install command
So what looks like the new approach is the following: 1) apt downloads a file named InRelease for every release. Like there'd be an InRelease file for sid. A similar one for Wheezy and others. This file is signed by the Official Debian APT Repository. 2) So apt first downloads the InRelease file. Then it validates its signature against the user's local apt database to ensure there is no tampering. 3) If step 2 passes, apt proceeds to read the InRelease file. This file has all the apt package database details that need to be downloaded, along with their checksums. 4) It downloads the files at runtime and there itself validates their checksums. Then the rest of the stuff is as usual. apt-offline will need to handle InRelease first, manipulate it, and then act on the rest. Then on the disconnected box, we will again need to validate (Release.gpg ? ) the data to ensure that nothing was tampered in the offline transit. -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com "Necessity is the mother of invention."
signature.asc
Description: OpenPGP digital signature
