[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: you iso's may have been hacked

Thomas Schmitt wrote:
>Hi,
>
>Andrew F Comly wrote:
>> gpg: WARNING: This key is not certified with a trusted signature!
>
>I wonder whom we could trust to certify the Debian gpg key ...

It's signed by a number of prominent DDs, including 2 DPLs and 2
Release Managers. Oh, and a number of idiots who don't understand GPG:
they have signed it and pushed signatures to the keyservers without
any fingerprint verification. :-(

It's also contained in the debian-role-keys keyring in the
debian-keyring package:

gpg --no-default-keyring -kvc --keyring /usr/share/keyrings/debian-role-keys.gpg DA87E80D6294BE9B
pub   4096R/DA87E80D6294BE9B 2011-01-05
      Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
uid                          Debian CD signing key <debian-cd@lists.debian.org>
sub   4096R/642A5AC311CD9819 2011-01-05

and the full fingerprint is also on the Debian website using https for
people who would rather trust that.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.
Reply to: