On Wed, Mar 16, 2011 at 10:19:21AM -0700, Todd A. Jacobs wrote: >I've recently downloaded the net installation image for Squeeze, but >am really uncomfortable with the fact that I can't establish a firm >trust path to the CD signing key. Is there a canonical place to get >the fingerprint of this key, so that at least one can have some >confidence that the key one is validating with is at least the >widely-known (and generally accepted) one? > >As a hack, I've done this on an Ubuntu 10.10 system: > > gpg --recv-keys 6294BE9B > gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B > >While this shows that this particular key has been signed by some >Debian developers, it doesn't actually validate that the key is the >official key for verifying the ISOs. > >Can anyone point me to ANY debian.org page that defines the official >key for CD images? Major bonus for any official links to fingerprints >for the CD signing key. Hi Todd, I'm just in the middle of writing a page for the website with more details about that key, and also the others that we've used in the past few years for signing CD/DVD releases. The best way to verify keys is the web of trust, but if you'd prefer a key listed on a web page then I hope that should help you. -- Steve McIntyre, Cambridge, UK. steve@einval.com "It's actually quite entertaining to watch ag129 prop his foot up on the desk so he can get a better aim." [ seen in ucam.chat ]
Attachment:
signature.asc
Description: Digital signature