[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [debian-knoppix] FAQ: what is *.md5.asc file?

On Wed, Apr 02, 2003 at 02:24:21PM -0500, D. Hugh Redelmeier wrote:
> The current FAQ explains the MD5 file, but not the signature file.
> Furthermore, a way of finding the public key should be provided.
> I spent a few minutes and did not find it.

True, it's not explaind in the FAQ. On the other hand: People who don't
know about detached signatures probably don't really need them, right?

> What are the best ways to get the public key for RSA key ID BA8F038D?
> How can we build confidence in this key?

I must admit that I don't really believe in the "Web of Trust", so,
the only reliable way would be, to get the key directly from me (or
its fingerprint), or, if you believe in the security scheme of these,
from a public keyserver.

You may also find my key(s) at
but of course that is not a reliable way either.

> Suggested wording:
>     Q: What is the .md5.asc file?
>     This is a digital signature of the .md5 file.  Using the gpg program,
>     you can check that ________ has signed the .md5 file.  Verifying the
>     signature should give you fairly strong confidence that __________
>     afirms the .md5 file to be the right one.
>     The .md5 file can be used to verify that the .iso file was not
>     accidentally damaged.  The .md5.asc file can be used to verify that no
>     bad guy subverted the .md5 file (and hence the .iso file).
>     You need a secure way to get the public key for __________.
>     Under LINUX (including Knoppix):
>     	# add the public key to your keyring
> 	gpg --import _______
> 	# verify the signature of the .md5 file
> 	gpg --verify KNOPPIX_V3.2-2003-03-30-EN.iso.md5.asc
> 	# check the .iso file
> 	md5sum -c KNOPPIX_V3.2-2003-03-30-EN.iso.md5

I'm not sure whether this is really a "frequently asked" question. So
far, you are about the third one asking in 2 years.

Maybe a hint in the README on the mirrors would be sufficient?

-Klaus Knopper
Klaus Knopper                           Technical Solutions & Finances
knopper@linuxtag.org                          http://www.linuxtag.org/
Phone +49-(0)631-3109371                        Fax +49-(0)631-3109372
LinuxTag 2003 - Europes largest Linux Expo       Where .com meets .org

Attachment: pgpubNkTXxhhH.pgp
Description: PGP signature

Reply to: