home of the madduck/ blog/
Secure (!) APT updates

Andrew, your method leaves you and your system wide open to MITM attacks. All I need to do is poison your DNS cache at the right moment, and you'll trust my key (apologies to ari for misattribution in a previous edition of this post; thanks to dato for letting me know).

I strongly suggest going via gnupg and verifying the fingerprint as well as the signatures on the key. You can use this page to help you verify these data (although the current lack of SSL doesn't really add a benefit, I am working on it).

Here's what I usually do:

cirrus:~> GET http://ftp-master.debian.org/ziyi_key_2006.asc | gpg --import
gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006)
  <ftpmaster<@t>debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
cirrus:~> gpg --check-sigs --fingerprint 2D230C5F
pub   1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
      Key fingerprint = 0847 50FC 01A6 D388 A643  D869 0109 0831 2D23 0C5F
uid   Debian Archive Automatic Signing Key (2006) <ftpmaster<@t>debian.org>
sig!3        2D230C5F 2006-01-03  Debian Archive Automatic Signing Key
                                  (2006) <ftpmaster<@t>debian.org>
sig!         2A4E3EAA 2006-01-03  Anthony Towns <aj<@t>azure.humbug.org.au>
sig!         4F368D5D 2006-01-03  Debian Archive Automatic Signing Key
                                  (2005) <ftpmaster<@t>debian.org>
sig!         29982E5A 2006-01-04  Steve Langasek <vorlon<@t>dodds.net>
sig!         FD6645AB 2006-01-04  Ryan Murray <rmurray<@t>cyberhqz.com>
sig!         AB2A91F5 2006-01-04  James Troup <james<@t>nocrew.org>

and then I check the trust path from my key to at least one of the keys used to sign the archive key. Only if I find an acceptable path will I then tell APT to trust the key:

cirrus:~> gpg --export -a 2D230C5F | sudo apt-key add -
Ok

Note that the key is signed with the previous archive key, so theoretically you can just build on your previous trust.

Until Debian finally gets a proper PKI in place, this seems like the best way to do it.