> GPG signing a Debian package does nothing because package signatures are not v... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		lamby on June 20, 2018 \| parent \| context \| favorite \| on: Towards a fully reproducible Debian > GPG signing a Debian package does nothing because package signatures are not verified by default on any major distribution when packages are installed with apt-get install That's sliiiiiiightly misleading. :/

xenophonf on June 20, 2018 [–]

On both Debian 9.4 and Ubuntu 16.04 (what I have handy):

  # Do not enable debsig-verify by default; since the distribution is not using
  # embedded signatures, debsig-verify would reject all packages.
  no-debsig

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact