Re: Signature debian CDs
On Mon, Mar 21, 2011 at 6:57 PM, Dr. Ed Morbius <firstname.lastname@example.org> wrote:
> on 22:48 Mon 21 Mar, Andrei Popescu (email@example.com) wrote:
>> On Lu, 21 mar 11, 13:33:16, Dan wrote:
>> > Hi,
>> > I downloaded the netinst CD image for the installation of debian. I
>> > have an Ubuntu computer where I checked the md5sum and the sha1sum. I
>> > also tried to check the signature doing the following:
>> > gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
>> > gpg --verify MD5SUMS.sign MD5SUMS
>> > Is this the right procedure?
>> > I get a warning:
>> > gpg: WARNING: This key is not certified with a trusted signature!
>> > gpg: There is no indication that the signature belongs to the owner.
>> GPG is warning you that it can't find a trust path from a key you trust
>> (usually your own) to the key used to sign that file.
> Expanding on this:
> The signature is valid (it cryptographically matches the signing key),
> but identity is unverified, based on your (OP's) trust path.
> You've got an assurance that the file contents haven't been changed
> since they were signed, but no definite assurance of the key's
> This has been recently discussed on this list.
Thanks for your answer,
I read the previous thread. I am looking at the GPG scheme to
understand it better.