Hamish Moffatt wrote: > But you need to be able to validate that package in some fashion too.
In this case it's validated using the other signature on the packages file, which is made with a key that apt already knows about. -- see shy jo
signature.asc
Description: Digital signature
