I don't know if this is the place for this, but I'm gonna give it a try.
if I'm downloading some tar archives from a debian server (http://cdn-fastly.deb.debian.org/debian ... ian.tar.xz)
HOW can I find a secure way to verify that archive?
I can't trust? the sha256 information in a file from the same site, (since it's http, and if the archive has been altered, so could also the .dsc file)
Especially when I get this result;
Code: Select all
root@socks:~# dpkg-source -x squid_4.13-10.dsc gpgv: Signature made Fri May 28 12:12:52 2021 UTC gpgv: using RSA key 06A3E5760F611B4BB1A90E68B8688CA3D876D5A3 gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./squid_4.13-10.dsc
Is there somewhere an official list?