[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signature debian CDs

On Lu, 21 mar 11, 13:33:16, Dan wrote:
> Hi,
> I downloaded the netinst CD image for the installation of debian. I
> have an Ubuntu computer where I checked the md5sum and the sha1sum. I
> also tried to check the signature doing the following:
> gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
> gpg --verify MD5SUMS.sign MD5SUMS
> Is this the right procedure?


> I get a warning:
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.

GPG is warning you that it can't find a trust path from a key you trust 
(usually your own) to the key used to sign that file.

> How does gpg check the authenticity of keyring.debian.org? Does it
> check it through a master keyserver?

It doesn't, GPG relies on a web of trust and you trust keys, not 
servers. See http://en.wikipedia.org/wiki/Web_of_trust

Offtopic discussions among Debian users and developers:

Attachment: signature.asc
Description: Digital signature

Reply to: