Re: Signature debian CDs

To: Debian User List <debian-user@lists.debian.org>
Subject: Re: Signature debian CDs
From: "Todd A. Jacobs" <codegnome.consulting+debian@gmail.com>
Date: Tue, 22 Mar 2011 23:30:47 -0700
Message-id: <[🔎] AANLkTiks15R4oKJTeJYamTs_2qveO8g0+bApcw-8yA7K@mail.gmail.com>
In-reply-to: <[🔎] AANLkTimv0YiyJ0NdoRiBTZyLoDnsKa6t7=qZB8mM4=vt@mail.gmail.com>
References: <[🔎] AANLkTi=p1=SC+riVUvAe6NXB0MmRzaKsFRPK3Us+LDZZ@mail.gmail.com> <[🔎] 20110321204807.GK3018@think.homelan> <[🔎] 20110321225739.GA3588@altaira.krellpowersys.exo> <[🔎] AANLkTimv0YiyJ0NdoRiBTZyLoDnsKa6t7=qZB8mM4=vt@mail.gmail.com>

> I read the previous thread. I am looking at the GPG scheme to
> understand it better.

Basically, the idea is that you are confirming that the key used to
sign the md5sums is a valid *and* trustworthy key--the two are not
synonymous. This is a bootstrapping problem, especially for non-Debian
users.

If you retrieve the key and attempt to validate it against the Debian
keyring, you should see this:

$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
gpg: using PGP trust model
pub   4096R/6294BE9B 2011-01-05
uid                  Debian CD signing key <debian-cd@lists.debian.org>
sig          1B3045CE 2011-01-07  Colin Tuckley <colin@tuckley.org>
sig          3442684E 2011-01-05  Steve McIntyre <steve@einval.com>
sig          A40F862E 2011-01-05  Neil McGovern <maulkin@halon.org.uk>
sig          C542CD59 2011-01-05  Adam D. Barratt <adam@adam-barratt.org.uk>
sig          95861109 2011-01-23  Ben Hutchings (DOB: 1977-01-11)
sig          63C7CC90 2011-01-05  Simon McVittie <smcv@pseudorandom.co.uk>
sig 3        6294BE9B 2011-01-05  Debian CD signing key
<debian-cd@lists.debian.org>
sub   4096R/11CD9819 2011-01-05
sig          6294BE9B 2011-01-05  Debian CD signing key
<debian-cd@lists.debian.org>

That tells you that the listed people have signed key 0x6294BE9B, and
that it is in fact the same key they think they signed. If your output
matches, then you have a *valid* key.

Now, whether or not the key is *trustworthy* is a bootstrapping
problem, because if you don't know any of the signers personally, you
can't know if their signatures can be trusted to verify the identity
of the target key, In other words, there's nothing stopping me from
labelling a random key with "Debian CD signing key" and getting some
random signatures on it--the key would validate, but wouldn't be
trustworthy.

Over on debian-cd, Steve McIntyre confirmed that 6294BE9B is the right
key, and that the people who signed it are the people who can vouch
for the identity of the key. So, if you trust Steve then you can trust
the key--that's what the web of trust model is all about: validating
and trusting keys based on who you trust to vouch for the identity of
a given key.

If you're deeply interested in the underpinnings of the trust model,
you can start with the key management section over at
http://www.gnupg.org/gph/en/manual.html#MANAGEMENT.

Hope that helps.

Reply to:

References:
- Signature debian CDs
  - From: Dan <ganchya@gmail.com>
- Re: Signature debian CDs
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: Signature debian CDs
  - From: "Dr. Ed Morbius" <dredmorbius@gmail.com>
- Re: Signature debian CDs
  - From: Dan <ganchya@gmail.com>

Prev by Date: Re: What happened to debian - does "stable" keep having any meaning?
Next by Date: How to change the style and background of the Squeeze login screen?
Previous by thread: Re: Signature debian CDs
Next by thread: No sound in headphone through jack in squeeze
Index(es):
- Date
- Thread