doubt about live CD/DVD signing key
Can you please tell me whether I can trust the debian signing key of the
live CDs/DVDs? Thanks.
After adding the key to the keyring, I get:
gpg --verify SHA256SUMS.sign SHA256SUMS
gpg: Signature made Mon 17 Oct 2011 14:55:55 CEST using RSA key ID
6CA7B5A6
gpg: Good signature from "Debian Live Signing Key
<debian-live@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 696F 95F0 88E4 D359 947F 7AEB 6F95 B499 6CA7
B5A6
The key does not appear in this page:
http://www.debian.org/CD/verify
Someone else had the same problem, what follows is taken from the debian
forum, but there was no reply:
http://forums.debian.net/viewtopic.php?f=17&t=74140
The Debian-Live DVD signing key has fingerprint
Code: Select all
696F 95F0 88E4 D359 947F 7AEB 6F95 B499 6CA7 B5A6
It is signed by one person
Code: Select all
sig sig3 6CA7B5A6 2011-03-09 __________ 2021-02-01 [selfsig]
sig sig 4B2B2B9E 2011-03-12 __________ __________ Daniel Baumann
<***>
Baumann has signed his key 4B2B2B9E with various other identities he
owns, but apparently no-one else has signed his key! Thus, the GPG
signed files containing the checksums for the Debian-live DVDs appear to
be questionable.
(I munged the email addresses.)
Does anyone know why these keys are treated so differently? It could be
important if for some reason I wanted to install from one of the live
DVDs (each about 1GB) rather than the full (4.4 GB) DVD #1.
-- loredana
Reply to: