Equivalent of `rpm -K` using `apt`
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
What is the apt equivalent of rpm -K *.rpm, where -K is defined as verifying the signature of the repository in man rpm and in Maximum RPM?
Example of a situation:
sudo rpm --import https://mirrors.example.com/rpm/RPM-GPG-KEY-release &&
rpm -K example.rpm
debian rhel apt rpm gpg
edited Mar 14 at 14:11
Stephen Kitt
181k25414493
asked Mar 14 at 9:57
tsujptsujp
325211
add a comment |
What is the apt equivalent of rpm -K *.rpm, where -K is defined as verifying the signature of the repository in man rpm and in Maximum RPM?
Example of a situation:
sudo rpm --import https://mirrors.example.com/rpm/RPM-GPG-KEY-release &&
rpm -K example.rpm
debian rhel apt rpm gpg
edited Mar 14 at 14:11
Stephen Kitt
181k25414493
asked Mar 14 at 9:57
tsujptsujp
325211
4
dpkgis the equivalent torpmnotapt. Do have a.debyou wish to install but want to verify the integrity of or are you installing something from your repositories?
– kemotep
Mar 14 at 11:05
I don't have a.debonly anrpm. I could usealiento convert it into a.debthough. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.
– tsujp
Mar 15 at 2:54
Well that's part of the problem. You did not mention that you were usingalien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between thedebandrpmanyway. As user Stephen Kitt points out, if the maintainers of the package did not usedebsig-verifyfor thedebversion of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.
– kemotep
Mar 15 at 10:45
add a comment |
What is the apt equivalent of rpm -K *.rpm, where -K is defined as verifying the signature of the repository in man rpm and in Maximum RPM?
Example of a situation:
sudo rpm --import https://mirrors.example.com/rpm/RPM-GPG-KEY-release &&
rpm -K example.rpm
debian rhel apt rpm gpg
edited Mar 14 at 14:11
Stephen Kitt
181k25414493
asked Mar 14 at 9:57
tsujptsujp
325211
What is the apt equivalent of rpm -K *.rpm, where -K is defined as verifying the signature of the repository in man rpm and in Maximum RPM?
Example of a situation:
sudo rpm --import https://mirrors.example.com/rpm/RPM-GPG-KEY-release &&
rpm -K example.rpm
debian rhel apt rpm gpg
debian rhel apt rpm gpg
edited Mar 14 at 14:11
Stephen Kitt
181k25414493
asked Mar 14 at 9:57
tsujptsujp
325211
edited Mar 14 at 14:11
Stephen Kitt
181k25414493
asked Mar 14 at 9:57
tsujptsujp
325211
edited Mar 14 at 14:11
Stephen Kitt
181k25414493
edited Mar 14 at 14:11
Stephen Kitt
181k25414493
edited Mar 14 at 14:11
Stephen Kitt
181k25414493
181k25414493
asked Mar 14 at 9:57
tsujptsujp
325211
asked Mar 14 at 9:57
tsujptsujp
325211
asked Mar 14 at 9:57
tsujptsujp
325211
325211
4
dpkgis the equivalent torpmnotapt. Do have a.debyou wish to install but want to verify the integrity of or are you installing something from your repositories?
– kemotep
Mar 14 at 11:05
I don't have a.debonly anrpm. I could usealiento convert it into a.debthough. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.
– tsujp
Mar 15 at 2:54
Well that's part of the problem. You did not mention that you were usingalien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between thedebandrpmanyway. As user Stephen Kitt points out, if the maintainers of the package did not usedebsig-verifyfor thedebversion of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.
– kemotep
Mar 15 at 10:45
add a comment |
4
dpkgis the equivalent torpmnotapt. Do have a.debyou wish to install but want to verify the integrity of or are you installing something from your repositories?
– kemotep
Mar 14 at 11:05
I don't have a.debonly anrpm. I could usealiento convert it into a.debthough. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.
– tsujp
Mar 15 at 2:54
Well that's part of the problem. You did not mention that you were usingalien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between thedebandrpmanyway. As user Stephen Kitt points out, if the maintainers of the package did not usedebsig-verifyfor thedebversion of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.
– kemotep
Mar 15 at 10:45
4
4
dpkg is the equivalent to rpm not apt. Do have a .deb you wish to install but want to verify the integrity of or are you installing something from your repositories?– kemotep
Mar 14 at 11:05
dpkg is the equivalent to rpm not apt. Do have a .deb you wish to install but want to verify the integrity of or are you installing something from your repositories?– kemotep
Mar 14 at 11:05
I don't have a
.deb only an rpm. I could use alien to convert it into a .deb though. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.– tsujp
Mar 15 at 2:54
I don't have a
.deb only an rpm. I could use alien to convert it into a .deb though. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.– tsujp
Mar 15 at 2:54
Well that's part of the problem. You did not mention that you were using
alien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between the deb and rpm anyway. As user Stephen Kitt points out, if the maintainers of the package did not use debsig-verify for the deb version of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.– kemotep
Mar 15 at 10:45
Well that's part of the problem. You did not mention that you were using
alien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between the deb and rpm anyway. As user Stephen Kitt points out, if the maintainers of the package did not use debsig-verify for the deb version of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.– kemotep
Mar 15 at 10:45
add a comment |
1 Answer
1
active
oldest
votes
The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.
Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.
answered Mar 14 at 11:16
Stephen KittStephen Kitt
181k25414493
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506251%2fequivalent-of-rpm-k-using-apt%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.
Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.
answered Mar 14 at 11:16
Stephen KittStephen Kitt
181k25414493
add a comment |
The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.
Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.
answered Mar 14 at 11:16
Stephen KittStephen Kitt
181k25414493
add a comment |
The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.
Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.
answered Mar 14 at 11:16
Stephen KittStephen Kitt
181k25414493
The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.
Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.
answered Mar 14 at 11:16
Stephen KittStephen Kitt
181k25414493
edited Mar 14 at 11:22
answered Mar 14 at 11:16
Stephen KittStephen Kitt
181k25414493
answered Mar 14 at 11:16
Stephen KittStephen Kitt
181k25414493
answered Mar 14 at 11:16
Stephen KittStephen Kitt
181k25414493
181k25414493
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506251%2fequivalent-of-rpm-k-using-apt%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
dpkgis the equivalent torpmnotapt. Do have a.debyou wish to install but want to verify the integrity of or are you installing something from your repositories?– kemotep
Mar 14 at 11:05
I don't have a
.debonly anrpm. I could usealiento convert it into a.debthough. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.– tsujp
Mar 15 at 2:54
Well that's part of the problem. You did not mention that you were using
alien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between thedebandrpmanyway. As user Stephen Kitt points out, if the maintainers of the package did not usedebsig-verifyfor thedebversion of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.– kemotep
Mar 15 at 10:45