[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Improvement proposal for page www.debian.org/CD/verify


yesterday I tried to verify the Debian DVD image that I downloaded.

I did not want to rely on the fingerprints for the public keys used to sign the file with the hashes, because I think that I can not fully trust the information shown to me on a web page when it is encrypted with a Let's Encrypt certificate.

So I went for the Web of Trust.

As I did not use PGP/GPG for many years I needed some time to learn and find out that GPG is not capable of automatically finding the path between a public key used to verify a signature and the trusted public keys that are already in my keyring. In my case these trusted keys are the two keys from the "Kryptokampagne" of c't that I downloaded and checked using the fingerprints published in the magazine. I was nearly there to give up when I finally found 


a web page offering exactly what I needed: Giving it two keys it showed me that I need to add only 1 additional key to my keyring in order to complete the Web of Trust and make one of the keys used to sign the Debian CD key valid.

I propose that you add at least the information about this web page to the verification page.

Further instructions how to use GPG to verify a signature, how to find out and add needed public keys to the keyring, how to actually know that a verification is successful (the messages of GPG are not self-explanatory and the man page was unclear too) are certainly welcome too. You could even go so far as to supply a keyring that allows a successful verification after checking and trusting certain "root" keys like the ones from c't.

Thanks a lot.

Best Regards

 Martin Glaser

 Martin Glaser, Heiterwanger Str. 52, D-81373 München

Reply to: