[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ISO md5sum signing paranoia

I'm reinventing the wheel while learnig abou Debian key signing, so far
I've been able to verify sarge-amd64 DVD iso images via

$ gpg --verify MD5SUMS.sign MD5SUMS
gpg: Signature made Mon 13 Jun 2005 10:48:17 PM CEST using DSA key ID F6A32A8E
gpg: Good signature from "Santiago Garcia Mantinan (manty) <sgm@manty.net>"
gpg:                 aka "Santiago Garcia Mantinan (manty) <manty@gpul.org>"
gpg:                 aka "Santiago Garcia Mantinan (manty) <manty@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3F0A 12FC 0B55 A917 D791  82D3 72FD C205 F6A3 2A8E

I'd like to know how to get rid of warning above. So far I've imported the
whole Debian keyring

gpg --import /usr/share/keyrings/debian-keyring.gpg

which action may be pretty stupid, but I expected some "higher authority" key
being present there, well, it is not, as I'm still getting warning about not
certified key.

Is there anything like Debian CA key, or shoul I ask Santiago Garcia Mantinan
about his key's fingerprint?

Thanks for any enlightement.

Vit
Reply to: