Re: Debian Archive Automatic Signing Key (4.0/etch)?
Am Dienstag 21 November 2006 23:52 schrieb Kurt Roeckx:
> On Tue, Nov 21, 2006 at 04:50:29PM -0600, Peter Samuelson wrote:
> > [Martin Zobel-Helas]
> >
> > > gpg --recv-keys A70DAF536070D3A1 && (gpg --export -a A70DAF536070D3A1 |
> > > apt-key add -)
> >
> > Uh, don't forget the part about verifying that the key is actually
> > signed by the ftpmasters. Skipping that step pretty much defeats the
> > entire point.
> >
> > gpg --list-sigs A70DAF536070D3A1
>
> Try gpg --check-sigs A70DAF536070D3A1 instead.
Or even better:
# gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs
A70DAF536070D3A1
I just assume that receiving the keys via the debian-keyring package ist more
trustworthy than via a random public server. In the default configuration, it
gives me:
# gpg --check-sigs A70DAF536070D3A1
pub 1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
uid Debian Archive Automatic Signing Key (4.0/etch)
<ftpmaster@debian.org>
sig!3 6070D3A1 2006-11-20 Debian Archive Automatic Signing Key
(4.0/etch) <ftpmaster@debian.org>
2 signatures not checked due to missing keys
HS
Reply to: