I encountered a Debian machine that, when trying to update packages, threw the widely discussed "GPG error: http://security.debian.org wheezy/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553". In oder to import the current keys, the package debian-keyring needs to be installed.
But since the keys on the machine are no longer valid, how can I be sure that the packet's contents have not been tampered with?
If you rule out adding the key and using that, you can still verify the MD5 manually.
Print the md5sum of the Packages file which is listed in the Release file.
sed -n "s,main/binary-i386/Packages$,,p" ftp.us.debian.org_debian_dists_sid_Release
# Print the md5sum of the Packages file itself.
md5sum ftp.us.debian.org_debian_dists_sid_main_binary-i386_Packages
Finally, check the MD5 or SHA checksum of the package itself:
apt-cache show <package_name> | sed -n "s/MD5sum: //p" # Grab the checksum from the APT cache.
md5sum <binary_package_name>.deb # Compare it against the binary package's checksum.
