Re: [debian-knoppix] FAQ: what is *.md5.asc file?

To: "D. Hugh Redelmeier" <hugh@mimosa.com>
Cc: debian-knoppix@linuxtag.org
Subject: Re: [debian-knoppix] FAQ: what is *.md5.asc file?
From: knopper@linuxtag.org (Klaus Knopper)
Date: Thu, 3 Apr 2003 00:13:53 +0200
Message-id: <[🔎] 20030402221353.GR816@linuxtag.org>
In-reply-to: <[🔎] Pine.LNX.4.44.0304021409000.24231-100000@redshift.mimosa.com>
References: <[🔎] Pine.LNX.4.44.0304021409000.24231-100000@redshift.mimosa.com>

On Wed, Apr 02, 2003 at 02:24:21PM -0500, D. Hugh Redelmeier wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> The current FAQ explains the MD5 file, but not the signature file.
> Furthermore, a way of finding the public key should be provided.
> I spent a few minutes and did not find it.

True, it's not explaind in the FAQ. On the other hand: People who don't
know about detached signatures probably don't really need them, right?

> What are the best ways to get the public key for RSA key ID BA8F038D?
> How can we build confidence in this key?

I must admit that I don't really believe in the "Web of Trust", so,
the only reliable way would be, to get the key directly from me (or
its fingerprint), or, if you believe in the security scheme of these,
from a public keyserver.

You may also find my key(s) at
http://hydra.linuxtag.uni-kl.de/~knopper/knopper.asc
but of course that is not a reliable way either.

> Suggested wording:
> 
>     Q: What is the .md5.asc file?
> 
>     This is a digital signature of the .md5 file.  Using the gpg program,
>     you can check that ________ has signed the .md5 file.  Verifying the
>     signature should give you fairly strong confidence that __________
>     afirms the .md5 file to be the right one.
> 
>     The .md5 file can be used to verify that the .iso file was not
>     accidentally damaged.  The .md5.asc file can be used to verify that no
>     bad guy subverted the .md5 file (and hence the .iso file).
> 
>     You need a secure way to get the public key for __________.
> 
>     Under LINUX (including Knoppix):
>     	# add the public key to your keyring
> 	gpg --import _______
> 
> 	# verify the signature of the .md5 file
> 	gpg --verify KNOPPIX_V3.2-2003-03-30-EN.iso.md5.asc
> 
> 	# check the .iso file
> 	md5sum -c KNOPPIX_V3.2-2003-03-30-EN.iso.md5

I'm not sure whether this is really a "frequently asked" question. So
far, you are about the third one asking in 2 years.

Maybe a hint in the README on the mirrors would be sufficient?

Regards
-Klaus Knopper
-- 
Klaus Knopper                           Technical Solutions & Finances
knopper@linuxtag.org                          http://www.linuxtag.org/
Phone +49-(0)631-3109371                        Fax +49-(0)631-3109372
LinuxTag 2003 - Europes largest Linux Expo       Where .com meets .org

Attachment: pgpubNkTXxhhH.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: [debian-knoppix] FAQ: what is *.md5.asc file?
  - From: Shawn McMahon <smcmahon@eiv.com>
- Re: [debian-knoppix] FAQ: what is *.md5.asc file?
  - From: "D. Hugh Redelmeier" <hugh@mimosa.com>

References:
- [debian-knoppix] FAQ: what is *.md5.asc file?
  - From: "D. Hugh Redelmeier" <hugh@mimosa.com>

Prev by Date: Re: [debian-knoppix] FAQ: what is *.md5.asc file?
Next by Date: Re: [debian-knoppix] Help using Knoppix kernel config to get framebuffer working
Previous by thread: [debian-knoppix] FAQ: what is *.md5.asc file?
Next by thread: Re: [debian-knoppix] FAQ: what is *.md5.asc file?
Index(es):
- Date
- Thread