On Fri, Jul 26, 2013 at 03:01:33AM -0700, james gray wrote: > while going through the verify procedures as described > http://www.debian.org/CD/verify > [cut] > > clicking on the link in that paragraph and going to > http://keyring.debian.org/ > > The server may be accessed with gpg by using the --keyserver option in > combination with either of the --recv-keys or --send-keys actions. > > looking at man gpg > > there are no options and all commands. > > which command or combo of commands should be used. $ gpg --verify somefile.sig somefile That, on its own is enough to verify the integrity of somefile. That is, you should get a message saying something like: gpg: Signature made Fri Jun 4 12:38:46 1999 CDT using DSA key ID BB7576AC gpg: Good signature from "Alice (Judge) <alice@cyb.org>" The "Good signature" is the bit to look for. If it says "BAD signature", then the file was modified between signing and verifying. You will *probably* also get a message to the effect of: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Which means that, although the file wasn't modified, you don't trust that Alice was the person who signed it. There exists the possibility that someone modified the file, signed it and you've just verified THAT. The easiest way is simply to check that the fingerprint matches one of those listed at http://www.debian.org/CD/verify. You can be *reasonably* trusting of the Debian Developers. The harder way is to actually meet one of these (or someone who trusts them; look up "Web of Trust") and confirm their key. > > do i need to set up a key while using an insecure machine. No. When verifying or decrypting GPG, you won't need your own key. > > i have been swimming through this jungle of confusion for a few years > and am slowly coming to understand its actual structure. while i do > work a graveyard shift am in fatigue 24 hours trying to learn the > debian way is difficult at times. i have studied C and Bash and many > other languages. but the the instructions here and there can be > frusterating. Be aware that 99% of people don't go to this effort. Most people trust that, if the ISO downloads and installs, it's good. Some people will check against one or two hashsums. Very few people will bother checking ALL hashsums. The chance of a file matching MD5, SHA1, SHA256 AND SHA512 and yet failing to verify its GPG signature is bordering on zero (especially when you consider that GPG may be using one of those hashes itself).
Attachment:
signature.asc
Description: Digital signature