Ok, I think this is really enough for verification ( Maybe (^_^) ). But, what do you mean: "Because you haven't established a chain of trust from yourself to any of the signatures." Is it only for Debian developers? And is it very important?
On Thu, Jul 11, 2024 at 4:58 PM Greg Wooledge <[email protected]> wrote: > On Thu, Jul 11, 2024 at 16:47:45 +0500, 타토카 wrote: > > Why 64 signatures not checked and no ultimately trusted keys found here: > > $ gpg --import key-DA87E80D6294BE9B.txt > > gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys > > gpg: key DA87E80D6294BE9B: public key "Debian CD signing key > > <[email protected]>" imported > > gpg: Total number processed: 1 > > gpg: imported: 1 > > gpg: no ultimately trusted keys found > > > > And this: > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > > owner. > > Because you haven't established a chain of trust from yourself to any > of the signatures. > > You've downloaded this key from the Internet. And it's signed by 64 > other keys. That's all you know. You have no idea whether any of those > 64 signing keys are trustworthy. > > At some point, you have to say "This is good enough." And then you move > on with your life, either installing Debian from the image that you have, > or not. > > You've already done far more verification than most people do. > >
