Hi, On 070815 at 11:48, Hadmut Danisch wrote: > just a question because someone had asked me for help. The problem was > that apt-get update had complained about not beeing able to verify > signatures due to a missing pgp key. > > Was easy to tell to do > gpg --recv-key A70DAF536070D3A1 > gpg -a --export A70DAF536070D3A1 | sudo apt-key add - > > but: How would one verify that this key is the correct debian > key (and not, e.g. the key used by an intruder to fake packages and > simply uploaded to public key repositories)?
AFAIK: The package debian-archive-keyring should contain the keys to verifiy the archive release files. This package is distributed with your set of CDs or whatever. Maybe you can also get them from the debian site with https. If the archive key can not be verified like this, eg with unofficial repositories, you're screwed. Still, you get some 'continuity' here, you don't intruduce an attack every time you start the update but only once when you check-in the keys. /steffen -- [EMAIL PROTECTED] gpg --recv-key A04D7875 Key fingerprint: B805 57BE E4AF 0104 CC51 77A1 CE6F 8D46 A04D 7875 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
