Where is the PGP Verification taking place? In Linux CLI commandline installation

Browser Support Desktop Support
1

installation has worked properly so far.
i am just asking myself where exactly the pgp verification takes place ?

sudo apt install apt-transport-https curl

sudo curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg arch=amd64] https://brave-browser-apt-release.s3.brave.com/ stable main"|sudo tee /etc/apt/sources.list.d/brave-browser-release.list

sudo apt update

sudo apt install brave-browser

Yes the curl -fsSLo adds the brave keyring but as far as i understand it the ā€œecho | teeā€ command only writes the contents of echos quotationmarks into the defined file in tee.

Edit: Therefore i am asking if step 2 and 3 are obsolete ? and if so how can i manually verify the package ?

2

tee will write its input to the specified file, as well as stdout. Looks to me like this is in the instructions for ā€˜visibilityā€™ purposes, i.e. to print on the terminal what is also being written out to the file.

After that, the ā€˜signed-byā€™ option appears to be explained here:

https://manpages.debian.org/bullseye/apt/sources.list.5.en.html

So in short, the curl writes out the key file, and the subsequent command tells your package manager (apt) to use that exact key for verifying packages from the Brave repo.

After that, it is the responsibility of your package manager to perform PGP/GPG verification of packages it gets from that repo. This should be happening automatically every time a new package is downloaded.

If you really wanted to verify the files by hand I suggest looking this up in some of the Debian docs as this would be specific to the .deb package format.

1 Like
3

thank you for the quick reply.

so in other words the ā€œapt updateā€ command is always doing a verification ?

sorry for my question i am still new but i start liking linux more and more
i will read your suggested docs thank you for it

4

Yes, apt or apt-get (I havenā€™t used Debian in a while so I donā€™t recall which), or one of the other components in the package manager toolchain, will do this for you. It should happen for Debianā€™s own packages as well as those from other repositories you add, such as Braveā€™s, provided you supply it a public key against which it can perform signature verification.

1 Like
5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.