Hi, On Thursday 31 January 2008 19:13, Alexander Wirt wrote: > Sure, this package is to make your debian trust backports.org. So this is > kind of a chicken and egg problem. The first package has to be > unauthenticated. Actually not :) http://wiki.skolelinux.no/DebianEdu/Documentation/Etch/HowTo/Administration#head-136bb7e75e07e8b6463e6b30761ac51776c5c27d describes how to verify the key against the debian-keyring package: # install the debian-keyring securily: aptitude install debian-keyring # fetch the backports.org key insecurily: gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 16BA136C # check securily if the key is correct and add it to root's keyring if it is: gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 16BA136C && gpg --export 16BA136C | apt-key add - # update the list of available packages: aptitude update > A little bit... but only if you check the signatures on this key before you > add it. And of course only if you trust one of the people that signed that > key... The above does this :) Now you only have the chicken+egg problem at the "obtaining Debian securely" stage... regards, Holger
Attachment:
pgpBp6lwesxSk.pgp
Description: PGP signature