Regarding whether keys used to sign debian-live releases are present (or not) in debian-keyring.gpg or debian-role-keys.gpg : On Mon, 11 Aug 2014, Francesco Ariis wrote:
On Sun, Aug 10, 2014 at 10:34:21PM -0400, davidson@ling.ohio-state.edu wrote:| $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign | gpgv: armor: BEGIN PGP SIGNATURE | gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux) | :signature packet: algo 1, keyid DA87E80D6294BE9B | version 4, created 1406210061, md5len 0, sigclass 0x00 | digest algo 8, begin of digest fc 43 | hashed subpkt 2 len 4 (sig created 2014-07-24) | subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B) | data: [4096 bits] | gpgv: assuming signed data in `SHA512SUMS' | gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B | gpgv: Can't check signature: public key not found This was not the outcome I was hoping for, but I am not sure what to do next.Hello Wes, It seems the key ID 6294BE9B is found in /usr/share/keyring/debian-role-keys.gpg [1]; .iso should verify with that. I was thinking of writing a three line paragraph to make the wiki [2] more clear on the matter (i.e. provide the gpgv command with the specific file to pass to --keyring), but after reading this: Official role keys have gradually replaced the use of personal keys belonging to developers. However, a decision was made not to go back and re-sign all the old releases that were already signed using the older keys. I am unsure on whether Jessie and future releases will have their .iso signed by a key from debian-keyring.gpg or debian-role-keys.gpg. Can anyone shed light on the matter?
WRT debian-live, the thread below seems relevant. https://lists.debian.org/debian-live/2014/04/msg00004.html Whether it casts light or shade is not clear to me. By the way, the key for checking the sig below seems to be missing from both debian-keyring.gpg and debian-role-keys.gpg : http://live.debian.net/cdimage/release/stable+nonfree/amd64/iso-hybrid/SHA512SUMS.sig This, below, seems to be the key in question: [from http://www.debian.org/CD/verify] | To ensure that the checksums files themselves are correct, use GnuPG | to verify them against the accompanying signature files | (e.g. MD5SSUMS.sign). The keys used for these signatures are all in | the Debian GPG keyring and the best way to check them is to use that | keyring to validate via the web of trust. To make life easier for | users, here are the fingerprints for the keys that have been used for | releases in recent years (with some UIDs removed for clarity): [snipped some fingerprints/ids] | pub 4096R/A9B26DF5 2014-01-03 | Key fingerprint = 8A36 A2E8 91A5 C2A9 0DEB 7A8B 1239 00F2 A9B2 6DF5 | uid Live Systems Project <debian-live@lists.debian.org> | sub 4096R/D0125917 2014-01-03 [snipped some more fingerprints/ids] I found this thread, which explains its absence from the keyring, for a certain interpretation of the term explain: https://lists.debian.org/debian-live/2014/03/msg00038.html -wes
[1] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-role-keys-gpg [2] http://www.debian.org/CD/verify