[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signature debian CDs

> I read the previous thread. I am looking at the GPG scheme to
> understand it better.

Basically, the idea is that you are confirming that the key used to
sign the md5sums is a valid *and* trustworthy key--the two are not
synonymous. This is a bootstrapping problem, especially for non-Debian

If you retrieve the key and attempt to validate it against the Debian
keyring, you should see this:

$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
gpg: using PGP trust model
pub   4096R/6294BE9B 2011-01-05
uid                  Debian CD signing key <debian-cd@lists.debian.org>
sig          1B3045CE 2011-01-07  Colin Tuckley <colin@tuckley.org>
sig          3442684E 2011-01-05  Steve McIntyre <steve@einval.com>
sig          A40F862E 2011-01-05  Neil McGovern <maulkin@halon.org.uk>
sig          C542CD59 2011-01-05  Adam D. Barratt <adam@adam-barratt.org.uk>
sig          95861109 2011-01-23  Ben Hutchings (DOB: 1977-01-11)
sig          63C7CC90 2011-01-05  Simon McVittie <smcv@pseudorandom.co.uk>
sig 3        6294BE9B 2011-01-05  Debian CD signing key
sub   4096R/11CD9819 2011-01-05
sig          6294BE9B 2011-01-05  Debian CD signing key

That tells you that the listed people have signed key 0x6294BE9B, and
that it is in fact the same key they think they signed. If your output
matches, then you have a *valid* key.

Now, whether or not the key is *trustworthy* is a bootstrapping
problem, because if you don't know any of the signers personally, you
can't know if their signatures can be trusted to verify the identity
of the target key, In other words, there's nothing stopping me from
labelling a random key with "Debian CD signing key" and getting some
random signatures on it--the key would validate, but wouldn't be

Over on debian-cd, Steve McIntyre confirmed that 6294BE9B is the right
key, and that the people who signed it are the people who can vouch
for the identity of the key. So, if you trust Steve then you can trust
the key--that's what the web of trust model is all about: validating
and trusting keys based on who you trust to vouch for the identity of
a given key.

If you're deeply interested in the underpinnings of the trust model,
you can start with the key management section over at

Hope that helps.

Reply to: