On Fri, 19 Oct 2012, Darac Marjal wrote: > On Fri, Oct 19, 2012 at 12:28:36PM +0300, Lars Nooden wrote: > > Hi, > > > > Where can I find an uptodate description of exactly how PGP is used by APT > > in packaging? I can't find the source any more but I got the impression > > that the individual packages were not signed but merely checksummed and > > that the list of checksums was the only thing that was actually signed. > > What is the real situation? > > That is true. As described here[1], the package checksums are stores in > the "Packages" file, the checksums for the "Packages" file are stored in > the "Release" file and the release file is GPG signed. So you have a > chain of fidelity from Releases to the package and a chain of trust from > yourself to the Releases. > > [1] http://wiki.debian.org/SecureApt
Thanks. The weak point, relatively speaking, looks to be the MD5 checksums in Releases. The link above [1] says "MD5 is now a broken hash function, and should be replaced for all security-minded usages." Out of curiosity, what are the plans then for moving up to SHA256 or better? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.bso.2.02.1210191311000.11...@yeeloong.dhcp.inet.fi
