Re: [gNewSense-users] gNewSense Repository PGP Key

[Lars Nooden]

On Sun, 13 Dec 2009, Jason Self wrote:
> You do use the public key to verify that the authenticity of the 
> software being downloaded, but someone else's public key cannot be used 
> to verify the signature done with a different secret key... you need to 
> use the public key that corresponds to the secret key used to do the 
> actual signing.

IIRC PGP is used to sign the release files (*) and the MD5 checksums of 
the individual packages are kept there and used by APT.  The goals are to 
ensure authenticity and integrity of the packages.  Currently generating 
MD5 collisions (**) may or may not be feasible, but it probably could be 
done in a reasonable amount of time with distributed processing.

One of the other digest algorithms might be safer nowadays, such as 
SHA256, for a while, if it doesn't slow things down too much.

> ... if the public key were put on the wiki ...

The wiki migt be too ephemeral.  Somewhere harder to change might be good. 
There are some keys listed on this page:
        http://www.gnewsense.org/Main/FixExpiredArchiveKey

Or the FAQ might be a place for the metad key:
        http://www.gnewsense.org/index.php?n=FAQ.FAQ


/Lars

*       http://wiki.debian.org/SecureApt

**      http://www.schneier.com/blog/archives/2005/06/more_md5_collis.html