On Mon, Mar 21, 2011 at 6:57 PM, Dr. Ed Morbius <dredmorb...@gmail.com> wrote: > on 22:48 Mon 21 Mar, Andrei Popescu (andreimpope...@gmail.com) wrote: >> On Lu, 21 mar 11, 13:33:16, Dan wrote: >> > Hi, >> > >> > I downloaded the netinst CD image for the installation of debian. I >> > have an Ubuntu computer where I checked the md5sum and the sha1sum. I >> > also tried to check the signature doing the following: >> > gpg --keyserver keyring.debian.org --recv-keys 6294BE9B >> > gpg --verify MD5SUMS.sign MD5SUMS >> > >> > Is this the right procedure? >> >> Yes >> >> > I get a warning: >> > gpg: WARNING: This key is not certified with a trusted signature! >> > gpg: There is no indication that the signature belongs to the >> > owner. >> >> GPG is warning you that it can't find a trust path from a key you trust >> (usually your own) to the key used to sign that file. > > Expanding on this: > > The signature is valid (it cryptographically matches the signing key), > but identity is unverified, based on your (OP's) trust path. > > You've got an assurance that the file contents haven't been changed > since they were signed, but no definite assurance of the key's > identity. > > This has been recently discussed on this list.
Thanks for your answer, I read the previous thread. I am looking at the GPG scheme to understand it better. Best, Dan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTimv0YiyJ0NdoRiBTZyLoDnsKa6t7=qZB8mM4=v...@mail.gmail.com
