Hi mate > Then I checked for 4B2B2B9E and got a match! > > $ gpg --no-default-keyring --keyring ~/downloads/debs/debian-keyring.gpg > --check-sig 4B2B2B9E > gpg: checking the trustdb > gpg: public key 3C093EEF is 29789 seconds newer than the signature > gpg: public key 3C093EEF is 29789 seconds newer than the signature > gpg: public key 3C093EEF is 29789 seconds newer than the signature > gpg: public key of ultimately trusted key ECB41FF5 not found > gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model > gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u > pub 1024D/4B2B2B9E 2004-06-20 > uid Daniel Baumann <email@example.com> > [...] > sig!3 307D56ED 2004-09-18 Noèl Köthe <firstname.lastname@example.org> > sig!3 9B7C328D 2005-03-30 Luk Claes <email@example.com> > sig!3 4B2B2B9E 2004-06-20 Daniel Baumann > <firstname.lastname@example.org> > sig!3 4B2B2B9E 2004-06-20 Daniel Baumann > [...] > 1 bad signature > 535 signatures not checked due to missing keys > > How well do you think I can trust this debian-keyring_2006.10.11_all.deb > package? If you really want to check that a certain key belongs to a Debian Developer, you should check that the key is on keyring.debian.org. This one is always up to date. Just use "gpg --keyserver keyring.debian.org --recv-key $ID-TO-CHECK" . If you do not get a positive answer, then the key does not belong to a DD. (There might be some problems with emeritus developers, but they should be minimal). Please also note that for the backports.org archive, there might be some uploaders, who are not a DD (yet), but in the NM process. Cheers Steffen
Description: This is a digitally signed message part.