summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2015-06-11 18:51:43 -0300
committerSilvio Rhatto <rhatto@riseup.net>2015-06-11 18:51:43 -0300
commit2a51757c2d33ddc8c5eb001177f7530f6116b73d (patch)
treecebdab8b67d6c2341eab74ff6090b5f217e7e3c5
parentd1ec220a76a182a3d821928c694bd419d9cdd072 (diff)
downloaddebian-2a51757c2d33ddc8c5eb001177f7530f6116b73d.tar.gz
debian-2a51757c2d33ddc8c5eb001177f7530f6116b73d.tar.bz2
Checking the source: debian images
-rw-r--r--checking.md12
1 files changed, 10 insertions, 2 deletions
diff --git a/checking.md b/checking.md
index f0a71a8..f99fa1d 100644
--- a/checking.md
+++ b/checking.md
@@ -1,11 +1,20 @@
Checking the source
===================
+Debian Images
+-------------
+
+See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify).
+
+Source packages
+---------------
+
This is the trick part. In theory, you could run just
dscverify *.dsc
-Which would check if the signature was made for a key included in the `debian-keyring` package.
+Which would check if the signature was made for a key included in the `debian-keyring` package or if you
+have a verification path with the signing key.
In practice, it should always work for sources you download from the **same** Debian version you're running.
But sources you download from newer versions might not work, depending basically if the maintainer's key is
@@ -116,4 +125,3 @@ See also:
* [Debian Public Key Server](http://keyring.debian.org/).
* [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working).
* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283).
-