What is the difference between signing with the gpg key of a repository and a package in Debian or Ubuntu?

K

kobrinartem2014-01-13 23:35:28

ubuntu

kobrinartem, 2014-01-13 23:35:28

When signing a repository when executing the apt-get update command, the installation of a public key is required, and the logic why this is needed is clear. But it is not entirely clear what the scribbling of .dsc and .changes files gives. I guess that this will allow to accurately identify the maintainer. But for example, if I pre-sign with my key, where will it come out? What does this pussy give compared if it weren't there?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

vsespb, 2014-01-14
@kobrinartem

And if the user downloads not a binary package, but a source package? - this is just .dsc - the signature is needed there for the same for what in the binary package - the user checks its integrity.
source.changes file, for example in Ubuntu PPA - is uploaded to the build server. it has a .dsc and tar.gz checksum. It is being built on a build server. How does the build server know that it was the author of the program who uploaded the archive? By digital signature. Then the build server will sign the binary package with its digital signature. If source.changes were authenticated by something less secure than a digital signature, that would be a weak link.