[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Canonical source for the new CD signing key's fingerprint?

On Wed, Mar 16, 2011 at 10:19:21AM -0700, Todd A. Jacobs wrote:
>I've recently downloaded the net installation image for Squeeze, but
>am really uncomfortable with the fact that I can't establish a firm
>trust path to the CD signing key. Is there a canonical place to get
>the fingerprint of this key, so that at least one can have some
>confidence that the key one is validating with is at least the
>widely-known (and generally accepted) one?
>As a hack, I've done this on an Ubuntu 10.10 system:
> gpg --recv-keys 6294BE9B
> gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
>While this shows that this particular key has been signed by some
>Debian developers, it doesn't actually validate that the key is the
>official key for verifying the ISOs.
>Can anyone point me to ANY debian.org page that defines the official
>key for CD images? Major bonus for any official links to fingerprints
>for the CD signing key.

Hi Todd,

I'm just in the middle of writing a page for the website with more
details about that key, and also the others that we've used in the
past few years for signing CD/DVD releases. The best way to verify
keys is the web of trust, but if you'd prefer a key listed on a web
page then I hope that should help you.

Steve McIntyre, Cambridge, UK.                                steve@einval.com
"It's actually quite entertaining to watch ag129 prop his foot up on
 the desk so he can get a better aim."          [ seen in ucam.chat ]

Attachment: signature.asc
Description: Digital signature

Reply to: