On Wed, Aug 15, 2007 at 10:54:02AM +0200, Hadmut Danisch wrote: > Hi, > > just a question because someone had asked me for help. The problem was > that apt-get update had complained about not beeing able to verify > signatures due to a missing pgp key. > > Was easy to tell to do > gpg --recv-key A70DAF536070D3A1 > gpg -a --export A70DAF536070D3A1 | sudo apt-key add - > > > > but: How would one verify that this key is the correct debian > key (and not, e.g. the key used by an intruder to fake packages and > simply uploaded to public key repositories)? > > > gpg --check-sigs A70DAF536070D3A1 > > lists some signatures of several people, but none that I personally > know, I don't even know whether these people actually exist. > > So what's the official way to verify debian archives?
I'm not sure if it's official, but I've seen a section on that topic on debian wiki IIRC. -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]