verifying archive signature keys?
just a question because someone had asked me for help. The problem was
that apt-get update had complained about not beeing able to verify
signatures due to a missing pgp key.
Was easy to tell to do
gpg --recv-key A70DAF536070D3A1
gpg -a --export A70DAF536070D3A1 | sudo apt-key add -
but: How would one verify that this key is the correct debian
key (and not, e.g. the key used by an intruder to fake packages and
simply uploaded to public key repositories)?
gpg --check-sigs A70DAF536070D3A1
lists some signatures of several people, but none that I personally
know, I don't even know whether these people actually exist.
So what's the official way to verify debian archives?