Re: General questions

To: debian-user@lists.debian.org
Subject: Re: General questions
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Mon, 08 Jul 2024 21:55:05 +0200
Message-id: <[🔎] 8633304705317906705@scdbackup.webframe.org>
In-reply-to: <[🔎] CAAhuCp0fAr9i9Kaf_N2ak2TSGWg2F9fgRYkAiit2xMXnzKFOag@mail.gmail.com>
References: <[🔎] CAAhuCp0fAr9i9Kaf_N2ak2TSGWg2F9fgRYkAiit2xMXnzKFOag@mail.gmail.com>

Hi,

cybertatoka@gmail.com wrote:
>     2.2. I have done then: gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS
>     2.3. Then I have got next info: Signed was made in 30 june 2024
>    And RSA key: DF9B9C49EAA9298432589D76DA87E80D6294BE9B
> I have compared 2011 's key and mine and they are the same.

The key string looks good, indeed.

> But is it a good idea to do that? Or do I need to download the open key and
> then compare them?

It would suffice for me. If you know more ways to verify that the
signature belongs to Debian, then apply them. Just to be sure.

> And is verification with SHA512SUMS.sign and SHA512SUMS enough? Should I do
> the same actions with SHA216SUMS.sign and SHA216SUMS?

It is general belief that faking a SHA-512 checksum is not feasible,
currently. Faking both, SHA-512 and SHA-256 would be even more difficult.
So check both and raise loud alarm if one matches and the other does not.

Have a nice day :)

Thomas

Reply to:

References:
- Re: General questions
  - From: 타토카 <cybertatoka@gmail.com>

Prev by Date: Re: General questions
Next by Date: Re: General questions
Previous by thread: Re: General questions
Next by thread: Re: General questions
Index(es):
- Date
- Thread