Re: Verifying authenticity of Debian CDs

[Andrew Cater <amacater@gmail.com>]

And it turns out that /etc/apt/trusted.gpg has the buster-stable, the buster-automatic and the buster-security keys by default but _NOT_ the debian-cd signing key so the stage of importing the key to match the specific Debian CD signing key is still valid.

All best, as ever,

Andy C.

On Fri, Jul 24, 2020 at 4:29 PM Andrew Cater <amacater@gmail.com> wrote:

I've just written up longer instructions on my own web page at FLOSSlinux which should explain the steps I've just followed for myself. Check those and see what you think. I'll have a go at importing from /etc/apt/trusted.gpg and see what that looks like. That, of course, is the keyring that apt and aptitude use for master verification of Debian packages as part of the verification process before package installation - so the master keys for the whole of the trust for package installation on a Debian system.

On Fri, Jul 24, 2020 at 4:20 PM Stefan Monnier <monnier@iro.umontreal.ca> wrote:

> when I run the command
> gpg --verify SHAxSUM.sign SHAxSUM
> I get a message saying that
>
> Can't check signature: No public key

You should have the needed key(s) in /etc/apt/trusted.gpg, but to be
honest I don't know how to best pass those to GPG.


        Stefan