Re: verifying archive signature keys?
Hi,
On Wed Aug 15, 2007 at 10:54:02 +0200, Hadmut Danisch wrote:
> Hi,
>
> just a question because someone had asked me for help. The problem was
> that apt-get update had complained about not beeing able to verify
> signatures due to a missing pgp key.
>
> Was easy to tell to do
> gpg --recv-key A70DAF536070D3A1
> gpg -a --export A70DAF536070D3A1 | sudo apt-key add -
>
>
>
> but: How would one verify that this key is the correct debian
> key (and not, e.g. the key used by an intruder to fake packages and
> simply uploaded to public key repositories)?
>
>
> gpg --check-sigs A70DAF536070D3A1
>
> lists some signatures of several people, but none that I personally
> know, I don't even know whether these people actually exist.
The best way to check this, is to check against the Debian Keyring.
Either you download the Debian Keyring from keyring.debian.org like:
rsync -az --progress \
keyring.debian.org::keyrings/keyrings/debian-keyring.gpg \
./debian-keyring.gpg
and check against this keyring, or you check the Key-IDs via
http://db.debian.org/, but you need the fingerprint of those key IDs
then.
Greetings
Martin
--
[root@debian /root]# man real-life
No manual entry for real-life
Reply to: