Re: Signature debian CDs
On Mon, Mar 21, 2011 at 6:57 PM, Dr. Ed Morbius <dredmorbius@gmail.com> wrote:
> on 22:48 Mon 21 Mar, Andrei Popescu (andreimpopescu@gmail.com) wrote:
>> On Lu, 21 mar 11, 13:33:16, Dan wrote:
>> > Hi,
>> >
>> > I downloaded the netinst CD image for the installation of debian. I
>> > have an Ubuntu computer where I checked the md5sum and the sha1sum. I
>> > also tried to check the signature doing the following:
>> > gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
>> > gpg --verify MD5SUMS.sign MD5SUMS
>> >
>> > Is this the right procedure?
>>
>> Yes
>>
>> > I get a warning:
>> > gpg: WARNING: This key is not certified with a trusted signature!
>> > gpg: There is no indication that the signature belongs to the owner.
>>
>> GPG is warning you that it can't find a trust path from a key you trust
>> (usually your own) to the key used to sign that file.
>
> Expanding on this:
>
> The signature is valid (it cryptographically matches the signing key),
> but identity is unverified, based on your (OP's) trust path.
>
> You've got an assurance that the file contents haven't been changed
> since they were signed, but no definite assurance of the key's
> identity.
>
> This has been recently discussed on this list.
Thanks for your answer,
I read the previous thread. I am looking at the GPG scheme to
understand it better.
Best,
Dan
Reply to: