Joined: 05 Dec 2011
|Posted: Thu Nov 28, 2013 1:27 pm Post subject: Verifying GNUPG Itself Before Using It To Verify Packages
I am a Linux newbie. I am currently attempting to install Gentoo in as secure a manner as possible.
I have downloaded a signed minimal installation iso and verified it on another machine.
I have a signed stage 3 tarball and verified it on another machine.
I have used the minimal install and successfully chrooted into my new environment. I have successfully manually copied across and unpacked the verified tarball rather than downloading an unverified one. I now want to use portage to do verified updates before proceeding further. But to do that I need to emerge gnupg. But how do I verify this gnupg package itself?
Is there a way of doing it using the gnupg from the installation rather than the chrooted environment? Or some other method? Otherwise it seems the Achilles heel is using an unverified package to verify all other packages.
Many thanks for your help.
EDIT: Ah, I think I already solved this problem. By using a validated Portage latest snapshot as opposed to using
as the manual suggests, GNUPG should be emerged from the validated snapshot now present on my system.