On Sb, 05 mar 11, 23:47:38, Joel Rees wrote: > > I did go to the trouble of pulling the signatures and checksums off of > three different more-or-less randomly chosen mirrors, to check they > were the same, but I'd still feel a little more comfortable taking my > first spin with Debian if there were more evidence that the key that > the CDs are being signed with is officially claimed by the project. $ gpg --list-sigs 6294BE9B pub 4096R/6294BE9B 2011-01-05 uid Debian CD signing key <debian-cd@lists.debian.org> sig 3442684E 2011-01-05 Steve McIntyre <steve@einval.com> sig A40F862E 2011-01-05 Neil McGovern <maulkin@halon.org.uk> sig 95861109 2011-01-23 Ben Hutchings (DOB: 1977-01-11) sig 63C7CC90 2011-01-05 Simon McVittie <smcv@pseudorandom.co.uk> sig 3 6294BE9B 2011-01-05 Debian CD signing key <debian-cd@lists.debian.org> sub 4096R/11CD9819 2011-01-05 sig 6294BE9B 2011-01-05 Debian CD signing key <debian-cd@lists.debian.org> Now you need to find a trust-path to one of them. If you have a trusted Debian system you can install the package debian-keyring, which should contain at least one (most probably all) of the keys above. > Okay, I did a gpg --recv-keys on the key 6294BE9B from > keyring.debian.org , and tried gpg --verify on the downloaded netinst > image, and got the bad signature message. (I think I got the syntax > right.) Do you mind posting the exact commands used and output? Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Attachment:
signature.asc
Description: Digital signature