Dr. Ed Morbius wrote: >on 04:56 Wed 16 Mar, Todd A. Jacobs (codegnome.consulting+deb...@gmail.com) >wrote: >> I've recently downloaded the net installation image for Squeeze, but >> am really uncomfortable with the fact that I can't establish a firm >> trust path to the CD signing key. Is there a canonical place to get >> the fingerprint of this key, so that at least one can have some >> confidence that the key one is validating with is at least the >> widely-known (and generally accepted) one? >> >> As a hack, I've done this on an Ubuntu 10.10 system: >> >> gpg --recv-keys 6294BE9B >> gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B >> >> While this shows that this particular key has been signed by some >> Debian developers, it doesn't actually validate that the key is the >> official key for verifying the ISOs. >> >> Can anyone point me to ANY debian.org page that defines the official >> key for CD images? Major bonus for any official links to fingerprints >> for the CD signing key. > >You don't trust a key by where you got it. > >You trust a key by who's signed it. > > http://www.rubin.ch/pgp/weboftrust.en.html > http://www.pgpi.org/doc/pgpintro/ > >Otherwise: you're saying you trust DNS more than PKI? > >It would be a Good Thing for the Debian CD signing key to be more widely >signed (assuming that 6294BE9B is in fact the signing key). > >My signing this email simply says that a person who has access to the >associated GPG private key wrote it, and (assuming the signature >validates), content hasn't been altered. > >Without known trusted signatures on my key, I could be anybody.
The CD signing key 6294BE9B has been signed by a number of people, including the CD team leader (me!), a previous DPL (well, also me!) and the two current Release Managers. I'll be adding more signatures soon, I hope. That key has not been in existence very long, and these things take time... In the meantime (and I've mentioned this to the OP over on the -cd list), an update to the Debian website should go live shortly listing all the keys we use / have used, as it seems some people prefer that to the WoT. -- Steve McIntyre, Cambridge, UK. st...@einval.com There's no sensation to compare with this Suspended animation, A state of bliss -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1pzxsq-00068z...@jack.mossbank.org.uk
