[TCLUG] debian help with signatures

Wed Dec 10 14:44:36 CST 2003

(resend w/o signature)

> I'm really a big fan of debian, but it's kind of tough navigating
> the best "get well" plan following the compromise with the relatively
> little amount of information available.  DWN yesterday was of some help, 
> but
> still doesn't help me get around my current "signature" related concerns.
> 
> Since I know some of you are seasoned debian users I'm hoping you can
> point me in the right direction.
> 
> My problem is that I'm trying to update the system (with dselect) and many
> package updates fail with:
> 
> Authenticating /var/cache/apt/archives/debconf-utils_1.3.22_all.deb ...
> debsig: Origin Signature check failed. This deb might not be signed.
> dpkg: error processing 
> /var/cache/apt/archives/debconf-utils_1.3.22_all.deb (--unpack):
>  Verification on package 
> /var/cache/apt/archives/debconf-utils_1.3.22_all.deb failed!
> 
> So I know this problem is due to dselect calling 'dpkg --unpack' which 
> in turn
> calls 'debsig-verify' which is failing.  The documentation on debsig verify
> gives some examples, but it's not clear to me what the 'right' thing to 
> do is....
> Should I:
> 1. Get and verify current keys (e.g. debian-debsig.gpg and 
> debian-keyring.gpg)
>    (tips on doing this appreciated)
> 2. Should I put the keys in...
>    /usr/share/debsig/keyrings/Debian/debian-keyring.gpg
>    (I'm not clear on the last dir component name)
> 3. Should I use (or modify) 
> /usr/share/doc/debsig-verify/examples/generic.pol
>    and put it in
>    /etc/debsig/policies/Debian/debian.pol
> 4. Assuming I get a good set of keys and policies in place... what's the 
> best
>    way to deal with packages that are simply not signed?
>    Would you recommend 'dpkg --force-bad-verify --unpack 
> debconf-utils_1.3.22_all.deb'?
>    Should I wait until all the core packages get signed?
> 5. Then (according wiggy.net which seems to be down) run debsums?
> http://216.239.57.104/search?q=cache:lBvF6QZNaV4J:www.wiggy.net/debian/developer-securing/+developer+debian+debsums+cleanup+info&hl=en&ie=UTF-8 
> 
> 6. Other recommendations (continue checking for rootkits, use fam, other 
> IDS)?
> 
> Thanks!
> 
> --Tom

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list