[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

doubt about live CD/DVD signing key



Can you please tell me whether I can trust the debian signing key of the
live CDs/DVDs? Thanks.

After adding the key to the keyring, I get:

  gpg --verify SHA256SUMS.sign SHA256SUMS
gpg: Signature made Mon 17 Oct 2011 14:55:55 CEST using RSA key ID
6CA7B5A6
gpg: Good signature from "Debian Live Signing Key
<debian-live@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 696F 95F0 88E4 D359 947F  7AEB 6F95 B499 6CA7
B5A6

The key does not appear in this page: 

http://www.debian.org/CD/verify

Someone else had the same problem, what follows is taken from the debian
forum, but there was no reply:

http://forums.debian.net/viewtopic.php?f=17&t=74140

The Debian-Live DVD signing key has fingerprint

Code: Select all
    696F 95F0 88E4 D359 947F  7AEB 6F95 B499 6CA7 B5A6

It is signed by one person

Code: Select all
    sig  sig3  6CA7B5A6 2011-03-09 __________ 2021-02-01 [selfsig]
    sig  sig   4B2B2B9E 2011-03-12 __________ __________ Daniel Baumann
<***>

Baumann has signed his key 4B2B2B9E with various other identities he
owns, but apparently no-one else has signed his key! Thus, the GPG
signed files containing the checksums for the Debian-live DVDs appear to
be questionable.

(I munged the email addresses.)

Does anyone know why these keys are treated so differently? It could be
important if for some reason I wanted to install from one of the live
DVDs (each about 1GB) rather than the full (4.4 GB) DVD #1.

-- loredana


Reply to: