On Wed, Aug 17, 2011 at 10:44:46AM -0500, Kent West wrote: > I'm getting the "public key is not available" type error on trying > to upgrade my box from lenny to squeeze. > > I have a vauge understanding of gpg/public keys/private keys, but > only vague, and I've found these two commands online which I believe > will fix my problem: > > gpg --keyserver subkeys.pgp.net --recv-keys 55BE302B > > gpg -a --export 55BE302B | sudo apt-key add - > > (where 55BE302B is the last half or so of the pubkey that is listed > in the error) > > My problem is that I don't know what keyserver to use. I have no > idea if "subkeys.pgp.net" is a safe keyserver. So I've been googling > for something like "official debian keyserver", or any keyservers on > the debian.org domain. I found keyring.debian.org, but it doesn't > know of my missing key, and I get the impression it's a limited > keyserver for use by debian developers. > > So, how do I know subkeys.pgp.net is a safe keyserver? Or is there > an official keyserver for debian users? In theory, there is no such thing as a 'safe' keyserver. Well, nothing such as a trusted keyserver, at least. With PGP (or GPG - they're basically the same), what matters is the 'web of trust'. That is, I ultimately (implicitly) trust myself and I explicitly trust certain other people. These other people should be people whom I have met in person and confirmed their identity, but may be other people depending on how trusting I am. What I trust about all these people is to say "this key belongs to X" by signing X's key. So, I recieve a key. It doesn't matter how I recieve that key - from a keyserver, sent in an email, hewn in granite and delivered atop a mountain. What I do is verify the signatures on the key and then look into my web of trust. If I have signed the key, then I trust the key. If someone I trust has signed the key, then I *sort of* trust the key - that is, I am willing to accept that the key belongs to who it says it belongs to, but I'm probably not willing to trust it when it's used to sign other keys. So, where does that leave us? Well, I use keys.gnupg.net, but as I stated above, other methods are available (one particularly good one for debian is to install the debian-keyring package). You then need to find a path to verifying that key; a keysigning party is traditional. -- Darac Marjal
Attachment:
signature.asc
Description: Digital signature