on 04:56 Wed 16 Mar, Todd A. Jacobs ([email protected]) wrote: > I've recently downloaded the net installation image for Squeeze, but > am really uncomfortable with the fact that I can't establish a firm > trust path to the CD signing key. Is there a canonical place to get > the fingerprint of this key, so that at least one can have some > confidence that the key one is validating with is at least the > widely-known (and generally accepted) one? > > As a hack, I've done this on an Ubuntu 10.10 system: > > gpg --recv-keys 6294BE9B > gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B > > While this shows that this particular key has been signed by some > Debian developers, it doesn't actually validate that the key is the > official key for verifying the ISOs. > > Can anyone point me to ANY debian.org page that defines the official > key for CD images? Major bonus for any official links to fingerprints > for the CD signing key.
You don't trust a key by where you got it.
You trust a key by who's signed it.
http://www.rubin.ch/pgp/weboftrust.en.html
http://www.pgpi.org/doc/pgpintro/
Otherwise: you're saying you trust DNS more than PKI?
It would be a Good Thing for the Debian CD signing key to be more widely
signed (assuming that 6294BE9B is in fact the signing key).
My signing this email simply says that a person who has access to the
associated GPG private key wrote it, and (assuming the signature
validates), content hasn't been altered.
Without known trusted signatures on my key, I could be anybody.
--
Dr. Ed Morbius, Chief Scientist / |
Robot Wrangler / Staff Psychologist | When you seek unlimited power
Krell Power Systems Unlimited | Go to Krell!
signature.asc
Description: Digital signature
