Equivalent of `rpm -K` using `apt`

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








9















What is the apt equivalent of rpm -K *.rpm, where -K is defined as verifying the signature of the repository in man rpm and in Maximum RPM?



Example of a situation:



sudo rpm --import https://mirrors.example.com/rpm/RPM-GPG-KEY-release &&
rpm -K example.rpm









share|improve this question



















  • 4





    dpkg is the equivalent to rpm not apt. Do have a .deb you wish to install but want to verify the integrity of or are you installing something from your repositories?

    – kemotep
    Mar 14 at 11:05











  • I don't have a .deb only an rpm. I could use alien to convert it into a .deb though. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.

    – tsujp
    Mar 15 at 2:54












  • Well that's part of the problem. You did not mention that you were using alien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between the deb and rpm anyway. As user Stephen Kitt points out, if the maintainers of the package did not use debsig-verify for the deb version of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.

    – kemotep
    Mar 15 at 10:45


















9















What is the apt equivalent of rpm -K *.rpm, where -K is defined as verifying the signature of the repository in man rpm and in Maximum RPM?



Example of a situation:



sudo rpm --import https://mirrors.example.com/rpm/RPM-GPG-KEY-release &&
rpm -K example.rpm









share|improve this question



















  • 4





    dpkg is the equivalent to rpm not apt. Do have a .deb you wish to install but want to verify the integrity of or are you installing something from your repositories?

    – kemotep
    Mar 14 at 11:05











  • I don't have a .deb only an rpm. I could use alien to convert it into a .deb though. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.

    – tsujp
    Mar 15 at 2:54












  • Well that's part of the problem. You did not mention that you were using alien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between the deb and rpm anyway. As user Stephen Kitt points out, if the maintainers of the package did not use debsig-verify for the deb version of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.

    – kemotep
    Mar 15 at 10:45














9












9








9


1






What is the apt equivalent of rpm -K *.rpm, where -K is defined as verifying the signature of the repository in man rpm and in Maximum RPM?



Example of a situation:



sudo rpm --import https://mirrors.example.com/rpm/RPM-GPG-KEY-release &&
rpm -K example.rpm









share|improve this question
















What is the apt equivalent of rpm -K *.rpm, where -K is defined as verifying the signature of the repository in man rpm and in Maximum RPM?



Example of a situation:



sudo rpm --import https://mirrors.example.com/rpm/RPM-GPG-KEY-release &&
rpm -K example.rpm






debian rhel apt rpm gpg






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 14 at 14:11









Stephen Kitt

181k25414493




181k25414493










asked Mar 14 at 9:57









tsujptsujp

325211




325211







  • 4





    dpkg is the equivalent to rpm not apt. Do have a .deb you wish to install but want to verify the integrity of or are you installing something from your repositories?

    – kemotep
    Mar 14 at 11:05











  • I don't have a .deb only an rpm. I could use alien to convert it into a .deb though. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.

    – tsujp
    Mar 15 at 2:54












  • Well that's part of the problem. You did not mention that you were using alien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between the deb and rpm anyway. As user Stephen Kitt points out, if the maintainers of the package did not use debsig-verify for the deb version of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.

    – kemotep
    Mar 15 at 10:45













  • 4





    dpkg is the equivalent to rpm not apt. Do have a .deb you wish to install but want to verify the integrity of or are you installing something from your repositories?

    – kemotep
    Mar 14 at 11:05











  • I don't have a .deb only an rpm. I could use alien to convert it into a .deb though. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.

    – tsujp
    Mar 15 at 2:54












  • Well that's part of the problem. You did not mention that you were using alien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between the deb and rpm anyway. As user Stephen Kitt points out, if the maintainers of the package did not use debsig-verify for the deb version of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.

    – kemotep
    Mar 15 at 10:45








4




4





dpkg is the equivalent to rpm not apt. Do have a .deb you wish to install but want to verify the integrity of or are you installing something from your repositories?

– kemotep
Mar 14 at 11:05





dpkg is the equivalent to rpm not apt. Do have a .deb you wish to install but want to verify the integrity of or are you installing something from your repositories?

– kemotep
Mar 14 at 11:05













I don't have a .deb only an rpm. I could use alien to convert it into a .deb though. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.

– tsujp
Mar 15 at 2:54






I don't have a .deb only an rpm. I could use alien to convert it into a .deb though. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al.

– tsujp
Mar 15 at 2:54














Well that's part of the problem. You did not mention that you were using alien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between the deb and rpm anyway. As user Stephen Kitt points out, if the maintainers of the package did not use debsig-verify for the deb version of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.

– kemotep
Mar 15 at 10:45






Well that's part of the problem. You did not mention that you were using alien. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between the deb and rpm anyway. As user Stephen Kitt points out, if the maintainers of the package did not use debsig-verify for the deb version of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you.

– kemotep
Mar 15 at 10:45











1 Answer
1






active

oldest

votes


















8














The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.



Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.






share|improve this answer

























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506251%2fequivalent-of-rpm-k-using-apt%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    8














    The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.



    Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.






    share|improve this answer





























      8














      The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.



      Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.






      share|improve this answer



























        8












        8








        8







        The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.



        Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.






        share|improve this answer















        The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.



        Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 14 at 11:22

























        answered Mar 14 at 11:16









        Stephen KittStephen Kitt

        181k25414493




        181k25414493



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506251%2fequivalent-of-rpm-k-using-apt%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?