Checking GPG Signatures - Debian Keyring is Huge !

To: debian-user@lists.debian.org
Subject: Checking GPG Signatures - Debian Keyring is Huge !
From: Nick Boyce <nick@glimmer.demon.co.uk>
Date: Wed, 14 Mar 2007 02:04:44 +0000
Message-id: <[🔎] 45F7583C.5050800@glimmer.demon.co.uk>

So ... I just downloaded a Debian Sarge CD image, checked the MD5 sum
was okay, and then just for completeness figured I'd check the GPG
signature on the MD5 sums file ...

GPG told me I needed DSA key id 88C7C1F7 to verify the signature ...

http://www.debian.org/CD/faq/#verify tells me I can get the Debian keys
from http://ftp.debian.org/debian/doc/ ... where the Debian keyring is
available for download as a gzip'ed file that's 13.1Mb in size !

Do I *really* need to add such a large keyring to my own keyring, just
to verify the dang GPG signature on a CD image ?

This is not good .......

I assume the "Debian keyring" contains the public keys of every Debian
developer there has ever been.  Surely there is a release-signing key
that Debian uses, that could be posted separately for download ?

Cheers,
Nick Boyce

Reply to:

Follow-Ups:
- Re: Checking GPG Signatures - Debian Keyring is Huge !
  - From: Stephen Cormier <s.cormier@gmx.net>

Prev by Date: Re: A Republican!!!!!! (was Re: OT: sponge burning!)
Next by Date: Re: OT: sponge burning!
Previous by thread: Re: Using quotes in bash script parameters
Next by thread: Re: Checking GPG Signatures - Debian Keyring is Huge !
Index(es):
- Date
- Thread