[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: verifying archive signature keys?

Martin Zobel-Helas <zobel@ftbfs.de> writes:

> Hi, 
> On Wed Aug 15, 2007 at 10:54:02 +0200, Hadmut Danisch wrote:
>> Hi,
>> just a question because someone had asked me for help. The problem was
>> that apt-get update had complained about not beeing able to verify
>> signatures due to a missing pgp key.
>> Was easy to tell to do
>> gpg --recv-key A70DAF536070D3A1
>> gpg -a --export A70DAF536070D3A1 |  sudo apt-key add -
>> but: How would one verify that this key is the correct debian
>> key (and not, e.g. the key used by an intruder to fake packages and
>> simply uploaded to public key repositories)?
>> gpg --check-sigs A70DAF536070D3A1
>> lists some signatures of several people, but none that I personally
>> know, I don't even know whether these people actually exist.
> The best way to check this, is to check against the Debian Keyring.
> Either you download the Debian Keyring from keyring.debian.org like:
> 	rsync -az --progress \
> 	keyring.debian.org::keyrings/keyrings/debian-keyring.gpg \
> 	./debian-keyring.gpg
> and check against this keyring, or you check the Key-IDs via
> http://db.debian.org/, but you need the fingerprint of those key IDs
> then.
> Greetings
> Martin

Which doesn't really solve anything as you can't trust those sources
anymore than the initial key.

You have to look for a trust path between you and the debian key. As
you said the debian key has signatures by a number of people, none of
which you know. Those people have signatures on their keys from other
people and those again from even more people. After a few such steps
you hopefully end up with a person you know or met once and then you
have a trust path.

There should be a lot of trust paths, the more the better and the
shorter the path the better.


PS: Another way is to trust your Debian CD you bought some time ago
and use the keyring on that CD.

Reply to: