X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/366cff695ae0a228300817e278c7ddf62ca52c34..178dd062eeaa1d7e56770455e005dc27aa71f026:/doc/apt-secure.8.xml diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml index 20f473f77..f8ff678b9 100644 --- a/doc/apt-secure.8.xml +++ b/doc/apt-secure.8.xml @@ -5,6 +5,9 @@ %aptent; + +%aptverbatiment; + ]> @@ -68,7 +71,7 @@ different steps. apt-secure is the last step in this chain, trusting an archive does not mean that the packages that you trust it do not contain malicious code but means that you - trust the archive maintainer. Its the archive maintainer + trust the archive maintainer. It's the archive maintainer responsibility to ensure that the archive integrity is correct. @@ -94,7 +97,7 @@ is computed and put in the Packages file. The MD5 sum of all of the packages files are then computed and put into the Release file. The Release file is then signed by the archive key (which is created - once a year and distributed through the FTP server. This key is + once a year) and distributed through the FTP server. This key is also on the Debian keyring. @@ -145,8 +148,8 @@ (you should make sure you are using a trusted communication channel when retrieving it), add it with apt-key and then run apt-get update so that apt can download - and verify the Release.gpg files from the archives you - have configured. + and verify the InRelease or Release.gpg + files from the archives you have configured. @@ -157,15 +160,16 @@ - Create a toplevel Release - file. if it does not exist already. You can do this + Create a toplevel Release + file, if it does not exist already. You can do this by running apt-ftparchive release (provided in apt-utils). - Sign it. You can do this by running + Sign it. You can do this by running + gpg --clearsign -o InRelease Release and gpg -abs -o Release.gpg Release. - Publish the key fingerprint, + Publish the key fingerprint, that way your users will know what key they need to import in order to authenticate the files in the archive.