On Thu, Jul 11, 2024 at 16:47:45 +0500, 타토카 wrote:
> Why 64 signatures not checked and no ultimately trusted keys found here:
> $ gpg --import key-DA87E80D6294BE9B.txt
> gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys
> gpg: key DA87E80D6294BE9B: public key "Debian CD signing key
> <debian-cd@lists.debian.org>" imported
> gpg: Total number processed: 1
> gpg: imported: 1
> gpg: no ultimately trusted keys found
>
> And this:
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
Because you haven't established a chain of trust from yourself to any
of the signatures.
You've downloaded this key from the Internet. And it's signed by 64
other keys. That's all you know. You have no idea whether any of those
64 signing keys are trustworthy.
At some point, you have to say "This is good enough." And then you move
on with your life, either installing Debian from the image that you have,
or not.
You've already done far more verification than most people do.