[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Archive Automatic Signing Key (4.0/etch)?

Am Dienstag 21 November 2006 23:52 schrieb Kurt Roeckx:
> On Tue, Nov 21, 2006 at 04:50:29PM -0600, Peter Samuelson wrote:
> > [Martin Zobel-Helas]
> >
> > > gpg --recv-keys A70DAF536070D3A1 && (gpg --export -a A70DAF536070D3A1 |
> > > apt-key add -)
> >
> > Uh, don't forget the part about verifying that the key is actually
> > signed by the ftpmasters.  Skipping that step pretty much defeats the
> > entire point.
> >
> >   gpg --list-sigs A70DAF536070D3A1
>
> Try gpg --check-sigs A70DAF536070D3A1 instead.

Or even better:
# gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 
A70DAF536070D3A1

I just assume that receiving the keys via the debian-keyring package ist more 
trustworthy than via a random public server. In the default configuration, it 
gives me:
# gpg --check-sigs A70DAF536070D3A1
pub   1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
uid                  Debian Archive Automatic Signing Key (4.0/etch) 
<ftpmaster@debian.org>
sig!3        6070D3A1 2006-11-20  Debian Archive Automatic Signing Key 
(4.0/etch) <ftpmaster@debian.org>

2 signatures not checked due to missing keys


HS
Reply to: