[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Canonical source for the new CD signing key's fingerprint?

on 04:56 Wed 16 Mar, Todd A. Jacobs (codegnome.consulting+debian@gmail.com) wrote:
> I've recently downloaded the net installation image for Squeeze, but
> am really uncomfortable with the fact that I can't establish a firm
> trust path to the CD signing key. Is there a canonical place to get
> the fingerprint of this key, so that at least one can have some
> confidence that the key one is validating with is at least the
> widely-known (and generally accepted) one?
> As a hack, I've done this on an Ubuntu 10.10 system:
>   gpg --recv-keys 6294BE9B
>   gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
> While this shows that this particular key has been signed by some
> Debian developers, it doesn't actually validate that the key is the
> official key for verifying the ISOs.
> Can anyone point me to ANY debian.org page that defines the official
> key for CD images? Major bonus for any official links to fingerprints
> for the CD signing key.

You don't trust a key by where you got it.

You trust a key by who's signed it.


Otherwise: you're saying you trust DNS more than PKI?

It would be a Good Thing for the Debian CD signing key to be more widely
signed (assuming that 6294BE9B is in fact the signing key).

My signing this email simply says that a person who has access to the
associated GPG private key wrote it, and (assuming the signature
validates), content hasn't been altered.

Without known trusted signatures on my key, I could be anybody.

Dr. Ed Morbius, Chief Scientist /            |
  Robot Wrangler / Staff Psychologist        | When you seek unlimited power
Krell Power Systems Unlimited                |                  Go to Krell!

Attachment: signature.asc
Description: Digital signature

Reply to: