On Wed, Jul 10, 2024 at 6:07 PM 타토카 <cybertatoka@gmail.com> wrote:
>
> Hello, dear Debian Community.
>
> I just wanted to check a key with GPG.
>
> I have found this on https://www.debian.org/CD/verify:
>
> pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC]
>
> Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
>
> uid Debian CD signing key <debian-cd@lists.debian.org>
>
>
> How can I download this key for GPG checking?
Click on the link, that takes you to
https://www.debian.org/CD/key-DA87E80D6294BE9B.txt
and save the file. Then gpg --import it
$ gpg --import key-DA87E80D6294BE9B.txt
gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key
<debian-cd@lists.debian.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
hrmmm... 64 signatures not checked due to missing keys due to missing
keys doesn't look good, but you've got the key now.
I checked by going to
http://mirror.us.leaseweb.net/debian-cd/12.6.0/amd64/iso-dvd/ and got
the SHA512SUMS and SHA512SUMS.sign files.
Verify them by
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat Jun 29 16:50:24 2024 EDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key
<debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
so the contents of SHA512SUMS are trustworthy. Or as trustworthy as I
can verify.. somebody else hopefully knows how to get all the missing
keys and mark the DA87E80D6294BE9B key as trusted.
and for whatever it's worth, I use these aliases:
$ alias | grep sha
alias sha1='/usr/bin/openssl dgst -sha1 '
alias sha256='/usr/bin/openssl dgst -sha256 '
alias sha512='/usr/bin/openssl dgst -sha512 '
Regards,
Lee