I downloaded debian-live-6.0.7-amd64-lxde-desktop.iso, SHA256SUMS, SHA256SUMS.sign.
$ gpg --verify SHA256SUMS.sign gpg: Signature made Mon 04 Mar 2013 11:15:15 AM CET using RSA key ID 6CA7B5A6 gpg: Can't check signature: public key not found $ gpg --recv-keys 6CA7B5A6 gpg: requesting key 6CA7B5A6 from hkps server hkps.pool.sks-keyservers.net gpg: key 6CA7B5A6: public key "Debian Live Signing Key <[email protected]>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 6 signed: 16 trust: 0-, 0q, 0n, 0m, 0f, 6u gpg: depth: 1 valid: 16 signed: 30 trust: 12-, 1q, 0n, 3m, 0f, 0u gpg: next trustdb check due at 2015-02-22 gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) $ gpg --fingerprint 6CA7B5A6 pub 4096R/6CA7B5A6 2011-03-09 [expires: 2021-02-01] Key fingerprint = 696F 95F0 88E4 D359 947F 7AEB 6F95 B499 6CA7 B5A6 uid Debian Live Signing Key <[email protected]> sub 4096R/6E7B0CD3 2011-03-09 [expires: 2021-02-01] $ gpg --verify SHA256SUMS.sign gpg: Signature made Mon 04 Mar 2013 11:15:15 AM CET using RSA key ID 6CA7B5A6 gpg: Good signature from "Debian Live Signing Key <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 696F 95F0 88E4 D359 947F 7AEB 6F95 B499 6CA7 B5A6 $ sha256sum -c SHA256SUMS 2>&1 | grep debian-live-6.0.7-amd64-lxde-desktop.iso: debian-live-6.0.7-amd64-lxde-desktop.iso: OK Everything looks fine, except I cannot know this key is authentic Debian Live Signing Key, isn't it? So, this way, if someone finds the fingerprint is wrong, she can reply to this post. Kind regards -- http://markorandjelovic.hopto.org Please make your donation for humanitarian aid for flood victims in Serbia: http://www.floodrelief.gov.rs/eng/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
