Joey Hess
2005-Nov-02 06:20 UTC
[SECURITY] [ANNOUNCE] using secure apt with the testing security archive
-------------------------------------------------------------------------- Debian Testing Security Annoucement November 1st, 2005 secure-testing-team@lists.alioth.debian.org Joey Hess http://secure-testing-master.debian.net/ -------------------------------------------------------------------------- A new version of apt, 0.6.42 has reached Debian testing. This new apt supports verifying signed apt repositories, adding an important layer of security to Debian upgrades by preventing installation of forged packages. The details are explained in the apt-secure(8) man page. To use this new feature, first make sure you have gnupg installed, and upgrade to apt 0.6.42. The signature checking is enabled by default, and apt will warn if it cannot verify a repository''s signature. By default apt comes preconfigured to trust only the official Debian archive signing key used in the official Debian repository. To make apt also trust the key used by the Debian testing security archive, run the following command as root: wget http://secure-testing.debian.net/ziyi-2005-7.asc -O - | sudo apt-key add - A copy of the key is also included below, and can be fed into apt-key by hand if you prefer (perhaps after checking the gnupg signature of this announcement). Once you have successfuly added the key, the command "apt-key list" will include the following in its output: pub 1024D/8722E71E 2005-08-24 [expires: 2008-01-31] uid secure-testing Archive Key 2005-7 <katie@secure-testing.debian.net> sub 2048g/A04E64FA 2005-08-24 [expires: 2008-01-31] Note that an updated set of repository signing keys are planned to be provided in Jaunury of each year. If you have not already done so, you will also need the following lines in your /etc/apt/sources.list to use the Debian testing security archive: deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free For further information about the Debian testing security team, please refer to http://secure-testing-master.debian.net/ -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBEMM7wgRBACs/rcYtu++PqBV5t6qTf9FsjJYZV4OUoQmtK849PdHUoVONh/b yz0vmP4QPCJXraFYiiiaur8WLcOphwY3DFaz0quozxl3pZfJjN27qDdTTDUKk1Kq zFQYTsDaXjSh0nRGW3gFmbyIqTL8sVGOAAz2KbrtLEQE11qYZjzvylEf4wCgv6ss HgQ7AcSBjpvm72e9PvSuDhMD/1kV0Snq9ilvCv7QLHBo/JnNgiCwxh5nEnPWHYjo SB0I99nuFMAzooAXTQhU3Hx1/sdZ3SMk1hWwZCPI0iNqESH2a3ib0YZt0DycWa3Y KxXIJet92u3ApSMVbp6OzzL7REoNCAgg6F/lrl+lVtnHbKiKBMZlKMsp+kQLSXqr Ki0pA/wIkkp7mJ7IiVS0fy9gueuiLqJKR6+i092J0RXsQesQX4OTC2DY3IICB22Q HfE8WNVZ2iPuWK0ymg6GqAHplp7bfVZMzfMSTMc+hj9WnmEVRRjLH66tsq1XHGEQ qg/mbkmeXwUwxAT1WGClcRWJqODmWE7KhkjKwGklYgzBoxwqkLRDc2VjdXJlLXRl c3RpbmcgQXJjaGl2ZSBLZXkgMjAwNS03IDxrYXRpZUBzZWN1cmUtdGVzdGluZy5k ZWJpYW4ubmV0PohkBBMRAgAkBQJDDO8IAhsDBQkElVcABgsJCAcDAgMVAgMDFgIB Ah4BAheAAAoJEJRqpuGHIucecvgAoK3nnF0yEwpNeQASyerh4wxRblZzAJ9h8rEF YldbZt/zYA53k2/y2m+s7IhMBBARAgAMBQJDD1fzBYMEku4VAAoJEJnTmaHsNqGF YwoAn2uV3WnU5lUUFxhyGEr8NI2Ibrj9AJ43inHJsgrlmy5Ed4bsF8z15PhflrkC DQRDDO8gEAgAm1Y/a//sVe6fEANvLc5M5pEsoRkPLNKcH1O/og2mID8/gBV99LRf RnjcV8xhF5cWIlb4Es3KvQxmvxo6zGEfsMJWoezqH+2agIra78dfb0B1AyHuvwSR Mc9sVy+3CuegM8bD3ss+4ta3rNLChpVrE8DxJZumecqkNSQVOkqeAOl2JIQ/xBkL g1hjQA8bXW5AiUu4/XAQAe04w7YNfdsApeCfpKEWAtg54CD9uRbfSwnd2uYHYcos mBMhryNrHy27RkyS0BFWaL/1gfBqua7VujcnCm6SnbhB4t3vk/AnEsPJixtW/tOC 3a3BaPqGsTq848e/PzmWY/8y9mvXwbxq5wADBQgAgNtB3u8TCN2Z4wkKrg19Lohi vQzJCXFfRi2ZydOe9E3SbSi6ggthjvGhHv2lTHEue/4wBOta3a9pUpVdMgRFL1Uu Jy3nPd1yPC0dOegJj+lMkeMGcdKolJUMdoA+ieZ2lwkrT1b5GdFBSRn8hsuRtZi6 9QtzoHzDR5lg9ynwTJ+mLlO8r83HmdxbXsnmGlxyZWRoqiSIl7mRLHp2tuFw9chg J1nqwewTmCj85Aj/YsbGmqOJcnp98Jk0GDiP/le4rktZAqG2blwVpC2DLLiQSqcY S5jjq/iiGnYEIVG+nPa/29OuoX40zwKqBcy5I8rJZIq2hzbazsyg2Sd3vhmZuohP BBgRAgAPBQJDDO8gAhsMBQkElVcAAAoJEJRqpuGHIuceRqUAn3Q8msRUTsp882QI NWyy5fqTehb5AJ9+kz3xq+7ooAwkdgpNOiz7ogxpQg==bWpz -----END PGP PUBLIC KEY BLOCK----- -- see shy jo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-announce/attachments/20051101/bc7ab1f5/attachment.pgp