On Lu, 21 mar 11, 13:33:16, Dan wrote: > Hi, > > I downloaded the netinst CD image for the installation of debian. I > have an Ubuntu computer where I checked the md5sum and the sha1sum. I > also tried to check the signature doing the following: > gpg --keyserver keyring.debian.org --recv-keys 6294BE9B > gpg --verify MD5SUMS.sign MD5SUMS > > Is this the right procedure? Yes > I get a warning: > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. GPG is warning you that it can't find a trust path from a key you trust (usually your own) to the key used to sign that file. > How does gpg check the authenticity of keyring.debian.org? Does it > check it through a master keyserver? It doesn't, GPG relies on a web of trust and you trust keys, not servers. See http://en.wikipedia.org/wiki/Web_of_trust Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Attachment:
signature.asc
Description: Digital signature