Signatures and signed packages (Re: [Techtalk] Fwd: OpenSSH trojan?)

[Mary]

On Sat, Aug 03, 2002 at 03:24:57PM +0100, hobbit at aloss.ukuu.org.uk wrote:
> By checking the signature against the separately-distributed
> GPG key, you can check it really came from your vendor's
> main ftp site and that the mirror itself hasn't been compromised.
> (So if the main site is caught, we're all in trouble :)) 

One of the things about GPG signatures is that you can actually sign
someone else's GPG key to say "yes, I trust that key X belongs to person
Y". (Only someone with the secret key, which generally has it's own
password, can make the signature, you just have to trust that the secret
key belong to who it's meant to - and that's why other people are meant
to sign them.)

I don't know about other distributions, but Debian developers must have
their key signed by at least two different Debian developers. SO you
could also check the GPG key for signatures.

People who are interested in PGP (the commericial implementation with
which GPG is compatible), GPG, and signatures should have a look at the
comp.security.pgp FAQ:
http://www.uk.pgp.net/pgpnet/pgp-faq/

and the GNU Privacy Handbook:
http://www.gnupg.org/gph/en/manual.html

-Mary