• Last 5 Forum Topics
    Last post

The Web Only This Site



  • MARC

    Mailing list ARChives
    - Search by -


    Computing Dictionary

  • Text Link Ads

  • LINUX man pages
  • Linux Man Page Viewer

    The following form allows you to view linux man pages.





           Starting with version 0.6, apt contains code that does signature
           checking of the Release file for all archives. This ensures that
           packages in the archive can't be modified by people who have no access
           to the Release file signing key.
           If a package comes from a archive without a signature or with a
           signature that apt does not have a key for that package is considered
           untrusted and installing it will result in a big warning.  apt-get will
           currently only warn for unsigned archives, future releases might force
           all sources to be verified before downloading packages from them.
           The package frontends apt-get(8), aptitude(8) and synaptic(8) support
           this new authentication feature.


           The chain of trust from an apt archive to the end user is made up of
           different steps.  apt-secure is the last step in this chain, trusting
           an archive does not mean that the packages that you trust it do not
           contain malicious code but means that you trust the archive maintainer.
           It's the archive maintainer responsibility to ensure that the archive
           integrity is correct.
           apt-secure does not review signatures at a package level. If you
           require tools to do this you should look at debsig-verify and debsign
           (provided in the debsig-verify and devscripts packages respectively).
           The chain of trust in Debian starts when a maintainer uploads a new
           package or a new version of a package to the Debian archive. This
           upload in order to become effective needs to be signed by a key of a
           maintainer within the Debian maintainer's keyring (available in the
           debian-keyring package). Maintainer's keys are signed by other
           maintainers following pre-established procedures to ensure the identity
           of the key holder.
           Once the uploaded package is verified and included in the archive, the
           maintainer signature is stripped off, an MD5 sum of the package is
           computed and put in the Packages file. The MD5 sum of all of the
           packages files are then computed and put into the Release file. The
           Release file is then signed by the archive key (which is created once a
           year) and distributed through the FTP server. This key is also on the
           Debian keyring.
           Any end user can check the signature of the Release file, extract the
           MD5 sum of a package from it and compare it with the MD5 sum of the
           package he downloaded. Prior to version 0.6 only the MD5 sum of the
           downloaded Debian package was checked. Now both the MD5 sum and the
           signature of the Release file are checked.
           Notice that this is distinct from checking signatures on a per package
           basis. It is designed to prevent two possible attacks:
           complement a per-package signature.


           apt-key is the program that manages the list of keys used by apt. It
           can be used to add or remove keys although an installation of this
           release will automatically provide the default Debian archive signing
           keys used in the Debian package repositories.
           In order to add a new key you need to first download it (you should
           make sure you are using a trusted communication channel when retrieving
           it), add it with apt-key and then run apt-get update so that apt can
           download and verify the InRelease or Release.gpg files from the
           archives you have configured.


           If you want to provide archive signatures in an archive under your
           maintenance you have to:
           ?   Create a toplevel Release file, if it does not exist already. You
               can do this by running apt-ftparchive release (provided in
           ?   Sign it. You can do this by running gpg --clearsign -o InRelease
               Release and gpg -abs -o Release.gpg Release.
           ?   Publish the key fingerprint, that way your users will know what key
               they need to import in order to authenticate the files in the
           Whenever the contents of the archive changes (new packages are added or
           removed) the archive maintainer has to follow the first two steps
           previously outlined.


           apt.conf(5), apt-get(8), sources.list(5), apt-key(8), apt-
           ftparchive(1), debsign(1) debsig-verify(1), gpg(1)
           For more background information you might want to review the Debian
           Security Infrastructure[1] chapter of the Securing Debian Manual
           (available also in the harden-doc package) and the Strong Distribution
           HOWTO[2] by V. Alex Brennen.


           APT bug page[3]. If you wish to report a bug in APT, please see
           /usr/share/doc/debian/bug-reporting.txt or the reportbug(1) command.


           APT was written by the APT team <>.


           This man-page is based on the work of Javier Fernandez-Sanguino Pena,
           Isaac Jones, Colin Walters, Florian Weimer and Michael Vogt.
            3. APT bug page

    Linux 28 October 2008 APT-SECURE(8)


  • Linux

    The Distributions


    The Software


    The News


  • Toll Free
Copyright © 1999 - 2016 by LinuxGuruz