0

Packages seem to be downloaded over http from the Ubuntu main repository, so I was wondering whether the client's OS verifies the packages once downloaded?

If so please could someone outline the different steps in this process? Would be much obliged if you could use apt-get flac as an example!

When exploring - http://archive.ubuntu.com/ubuntu/pool/main/f/flac/- I can see that there is a DSC file for each version of the package. Within this are the hashes of the XZ archives for the release, which is then in turn signed by one of the maintainers.

We'll See
  • 1
  • Relevant: Ubuntu developer discussion of the advantages and problems of https repositories at https://bugs.launchpad.net/ubuntu/+bug/1464064 – user535733 Oct 31 '20 at 11:39
  • 5
    Does this answer your question? [How is the authenticity of Ubuntu updates verified?](https://askubuntu.com/questions/710158/how-is-the-authenticity-of-ubuntu-updates-verified) – Nmath Nov 10 '20 at 04:39
  • It teases me with info, as does https://manpages.ubuntu.com/manpages/precise/en/man8/apt-secure.8.html, but I still don't understand. If I download http://ftp.debian.org/debian/pool/main/f/flac/flac_1.3.3-1_amd64.deb then there is a file with md5 sums, but I can't find any release(s).gpg file and nothing seems to be PGP signed? – We'll See Nov 11 '20 at 18:45

0 Answers0