Re: OT: debian keyring
David Bishop wrote:
> Being somewhat new to this stuff, how do I check that the gpg signature on an
> email matches that of the public key fingerprint registered with debian when
> you become a developer? I.E., assuming Eray *does* finally make it through
> the new-dev process, and he continues to gpg-sign his mails like a good dev,
> how do I make sure it's really him? All kmail says is "signed by unknown key
> blah". Now, I could goto the website and manually check in the debian
> developer's database (db.debian.org) but that's painfull, and someone has
> surely come up with a better way. I'm on enough mailing lists with enough
> different people posting, that I can't possible check each individual's key
> by hand. So, please reply with comments, off list if you feel bad about the
> subject(though traffic's been so low lately.....), and help me out. 'Cuz
> it's *got* to be easier than I'm making it out to be.....
Here's what I do..
(I'm relatively new to this stuff myself, so please if anybody
sees that I've made an error correct me.)
1. You need the debian keyring
apt-get install debian-keyring
2. Add the keyring to your .gnupg/options file
keyring /usr/share/keyrings/debian-keyring.gpg
3. while you're at it add a line for a public keyserver. I use:
keyserver certserver.pgp.com
4. Now you're going to need to find a debian maintainer and
verify his or her key fingerprint. The easiest way to do
this is to attend a conference or a keysigning party. Watch
the debian events list for notes about these.
Make sure the person(s) you are meeting ha(ve|s) a copy of
your fingerprint ahead of time.... If you go to a
keysigning party there will usually be instructions posted
with the party announcement. If you do step 3 you can make
your public key public with
gpg --send
Hope that helps. The gpg manual is pretty well written, so it
will be of some help.
--
-- mark at geekhive dot net
==================================================================
Reply to: