Re: CD verification key question
On Wed, Jun 22, 2016 at 05:42:36PM +0000, Grzegorz Bereta wrote:
>Dear Sir or Madam,
>
>I was trying to verify my Debian download following these instructions:
>
>https://www.debian.org/CD/verify.en.html
>
>and found the second part of the instructions (below) unclear:
>
>"To ensure that the checksums files themselves are correct, use GnuPG
>to verify them against the accompanying signature files
>(e.g. MD5SSUMS.sign). The keys used for these signatures are all in
>the Debian GPG keyring and the best way to check them is to use that
>keyring to validate via the web of trust"
>
>My understanding of the above is that I need keys to decipher the X.sign file
>so that I can compare it with the checksum file. Don't I need a KeyID to
>get the proper key? Where/how do I get it?
In that same page, the keys are listed immediately below what you've
just quoted:
pub 4096R/64E6EA7D 2009-10-03
Key fingerprint = 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D
uid Debian CD signing key <debian-cd@lists.debian.org>
pub 4096R/6294BE9B 2011-01-05
Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
uid Debian CD signing key <debian-cd@lists.debian.org>
sub 4096R/11CD9819 2011-01-05
pub 4096R/09EA8AC3 2014-04-15
Key fingerprint = F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3
uid Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>
sub 4096R/6BD05CFB 2014-04-15
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"Managing a volunteer open source project is a lot like herding
kittens, except the kittens randomly appear and disappear because they
have day jobs." -- Matt Mackall
Reply to: