[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Instructions add *all* PGP public keys to APT

(Sorry for the cc's; sometimes the list seems to eat my mails...)

Its quite possible to generate a key with a duplicate 32-bit hash; an
mischievous person could then upload that to the keyserver. Since
apt-key doesn't do any web-of-trust verification, apt-key would happily
accept the bogus key.

Instead, it'd be best to use the full fingerprint:

gpg --export 27034F81A2EB2840A4386C09EA8E8B2116BA136C | apt-key add -

Reply to: