Re: Proposal for update of http://debian.org/CD/faq/#verify
On 01/26/2011 02:04 AM, Naja Melan wrote:
*3. Could a malicious attacker that feeds me an altered iso image not
also feed me an altered SHA256SUMS file? Yes, they could! Http is very
easy to intercept. This is where SHA256SUMS.sign comes in. This file
is the pgp signature of the ***SHA256SUMS file. It is signed with the
Debian CD signing key which can be obtained from
hkp://keyring.debian.org/ <http://keyring.debian.org/>.* The transport
from the keyserver is *not *secured, and the only way to verify you
have not been fed a bogus key is through the web of trust
<https://secure.wikimedia.org/wikipedia/en/wiki/Web_of_trust> if you
are connected to enough people to make a path to the Debian CD signing
*What should I do if I am not connected through the web of trust?
There is no easy answer to this.*
What if you already have an older Debian install, or an older Debian CD
(that you already verified/trust by other means)?
There should be a chain of trust from the signing keys used on the old
CDs all the way to the signing key used on the new CD, right?
Is there an easy way to check the signing key, given an older Debian CD?
(besides booting from it, and checking the new key with gpg)?