on 22:48 Mon 21 Mar, Andrei Popescu (firstname.lastname@example.org) wrote: > On Lu, 21 mar 11, 13:33:16, Dan wrote: > > Hi, > > > > I downloaded the netinst CD image for the installation of debian. I > > have an Ubuntu computer where I checked the md5sum and the sha1sum. I > > also tried to check the signature doing the following: > > gpg --keyserver keyring.debian.org --recv-keys 6294BE9B > > gpg --verify MD5SUMS.sign MD5SUMS > > > > Is this the right procedure? > > Yes > > > I get a warning: > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the owner. > > GPG is warning you that it can't find a trust path from a key you trust > (usually your own) to the key used to sign that file. Expanding on this: The signature is valid (it cryptographically matches the signing key), but identity is unverified, based on your (OP's) trust path. You've got an assurance that the file contents haven't been changed since they were signed, but no definite assurance of the key's identity. This has been recently discussed on this list. -- Dr. Ed Morbius, Chief Scientist / | Robot Wrangler / Staff Psychologist | When you seek unlimited power Krell Power Systems Unlimited | Go to Krell!
Description: Digital signature