on 04:56 Wed 16 Mar, Todd A. Jacobs (firstname.lastname@example.org) wrote: > I've recently downloaded the net installation image for Squeeze, but > am really uncomfortable with the fact that I can't establish a firm > trust path to the CD signing key. Is there a canonical place to get > the fingerprint of this key, so that at least one can have some > confidence that the key one is validating with is at least the > widely-known (and generally accepted) one? > > As a hack, I've done this on an Ubuntu 10.10 system: > > gpg --recv-keys 6294BE9B > gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B > > While this shows that this particular key has been signed by some > Debian developers, it doesn't actually validate that the key is the > official key for verifying the ISOs. > > Can anyone point me to ANY debian.org page that defines the official > key for CD images? Major bonus for any official links to fingerprints > for the CD signing key. You don't trust a key by where you got it. You trust a key by who's signed it. http://www.rubin.ch/pgp/weboftrust.en.html http://www.pgpi.org/doc/pgpintro/ Otherwise: you're saying you trust DNS more than PKI? It would be a Good Thing for the Debian CD signing key to be more widely signed (assuming that 6294BE9B is in fact the signing key). My signing this email simply says that a person who has access to the associated GPG private key wrote it, and (assuming the signature validates), content hasn't been altered. Without known trusted signatures on my key, I could be anybody. -- Dr. Ed Morbius, Chief Scientist / | Robot Wrangler / Staff Psychologist | When you seek unlimited power Krell Power Systems Unlimited | Go to Krell!
Description: Digital signature