Can you please tell me whether I can trust the debian signing key of the live CDs/DVDs? Thanks.
After adding the key to the keyring, I get: gpg --verify SHA256SUMS.sign SHA256SUMS gpg: Signature made Mon 17 Oct 2011 14:55:55 CEST using RSA key ID 6CA7B5A6 gpg: Good signature from "Debian Live Signing Key <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 696F 95F0 88E4 D359 947F 7AEB 6F95 B499 6CA7 B5A6 The key does not appear in this page: http://www.debian.org/CD/verify Someone else had the same problem, what follows is taken from the debian forum, but there was no reply: http://forums.debian.net/viewtopic.php?f=17&t=74140 The Debian-Live DVD signing key has fingerprint Code: Select all 696F 95F0 88E4 D359 947F 7AEB 6F95 B499 6CA7 B5A6 It is signed by one person Code: Select all sig sig3 6CA7B5A6 2011-03-09 __________ 2021-02-01 [selfsig] sig sig 4B2B2B9E 2011-03-12 __________ __________ Daniel Baumann <***> Baumann has signed his key 4B2B2B9E with various other identities he owns, but apparently no-one else has signed his key! Thus, the GPG signed files containing the checksums for the Debian-live DVDs appear to be questionable. (I munged the email addresses.) Does anyone know why these keys are treated so differently? It could be important if for some reason I wanted to install from one of the live DVDs (each about 1GB) rather than the full (4.4 GB) DVD #1. -- loredana -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
