татко Крокодил

How to do a automatic signature check of the debian packages:

Let’s assume, that you have GPG installed. Also it should be noted that this procedure was tested only on unstable, and I have no idea how will it go on a machine running stable. I could try that with marla, but later.

We add a sources.list entry for experimental:

deb ftp://debian.ludost.net/debian ../project/experimental main
(or
deb ftp://ftp.de.debian.org/debian ../project/experimental main
I’m not sure if it will work with ftp.bg.debian.org at least it didn’t work a year ago.)

We tell apt that we want only what we explicitly tell him from experimental, in /etc/apt/preferences:
Package: *
Pin: release a=experimental
Pin-Priority: 50

Then install apt from experimental:
apt-get install apt/experimental

Then install the debian-key-ring package (all the gpg keys of debian people):
apt-get install debian-keyring

Add the role keys in apt’s keyring:
apt-key add /usr/share/keyrings/debian-role-keys.gpg

After that do apt-get update, and it should go without problems. If you’re not using non-us, and only the standard archive, you might not need debian-keyring, the default key in apt-get is the one for that archive.

The verification that those keys are real is left for an exercise for the reader…

This entry was posted on Friday, June 18th, 2004 at 13:01 and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.