verifying archive signature keys?

To: debian-security@lists.debian.org
Subject: verifying archive signature keys?
From: Hadmut Danisch <hadmut@danisch.de>
Date: Wed, 15 Aug 2007 10:54:02 +0200
Message-id: <[🔎] 46C2BF2A.4060501@msgid.danisch.de>

Hi,

just a question because someone had asked me for help. The problem was
that apt-get update had complained about not beeing able to verify
signatures due to a missing pgp key.

Was easy to tell to do
gpg --recv-key A70DAF536070D3A1
gpg -a --export A70DAF536070D3A1 |  sudo apt-key add -



but: How would one verify that this key is the correct debian
key (and not, e.g. the key used by an intruder to fake packages and
simply uploaded to public key repositories)?


gpg --check-sigs A70DAF536070D3A1

lists some signatures of several people, but none that I personally
know, I don't even know whether these people actually exist.

So what's the official way to verify debian archives?

regards
Hadmut

Reply to:

Follow-Ups:
- Re: verifying archive signature keys?
  - From: Marcin Owsiany <porridge@debian.org>
- Re: verifying archive signature keys?
  - From: Martin Zobel-Helas <zobel@ftbfs.de>
- Re: verifying archive signature keys?
  - From: Steffen Schulz <pepe_ml@gmx.net>

Prev by Date: Re: strange requests from Vanguard Securities: 53,137,138
Next by Date: Re: verifying archive signature keys?
Previous by thread: Re: strange requests from Vanguard Securities: 53,137,138
Next by thread: Re: verifying archive signature keys?
Index(es):
- Date
- Thread