[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CD verification key question

On Wed, Jun 22, 2016 at 05:42:36PM +0000, Grzegorz Bereta wrote:
>Dear Sir or Madam,
>I was trying to verify my Debian download following these instructions:
>and found the second part of the instructions (below) unclear:
>"To ensure that the checksums files themselves are correct, use GnuPG
>to verify them against the accompanying signature files
>(e.g. MD5SSUMS.sign). The keys used for these signatures are all in
>the Debian GPG keyring and the best way to check them is to use that
>keyring to validate via the web of trust"
>My understanding of the above is that I need keys to decipher the X.sign file 
>so that I can compare it with the checksum file. Don't I need a KeyID to
>get the proper key? Where/how do I get it? 

In that same page, the keys are listed immediately below what you've
just quoted:

pub   4096R/64E6EA7D 2009-10-03
      Key fingerprint = 1046 0DAD 7616 5AD8 1FBC  0CE9 9880 21A9 64E6 EA7D
uid                  Debian CD signing key <debian-cd@lists.debian.org>

pub   4096R/6294BE9B 2011-01-05
      Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
uid                  Debian CD signing key <debian-cd@lists.debian.org>
sub   4096R/11CD9819 2011-01-05

pub   4096R/09EA8AC3 2014-04-15
      Key fingerprint = F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3
uid                  Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>
sub   4096R/6BD05CFB 2014-04-15

Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Managing a volunteer open source project is a lot like herding
 kittens, except the kittens randomly appear and disappear because they
 have day jobs." -- Matt Mackall

Reply to: