> I read the previous thread. I am looking at the GPG scheme to > understand it better.
Basically, the idea is that you are confirming that the key used to sign the md5sums is a valid *and* trustworthy key--the two are not synonymous. This is a bootstrapping problem, especially for non-Debian users. If you retrieve the key and attempt to validate it against the Debian keyring, you should see this: $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B gpg: using PGP trust model pub 4096R/6294BE9B 2011-01-05 uid Debian CD signing key <debian...@lists.debian.org> sig 1B3045CE 2011-01-07 Colin Tuckley <co...@tuckley.org> sig 3442684E 2011-01-05 Steve McIntyre <st...@einval.com> sig A40F862E 2011-01-05 Neil McGovern <maul...@halon.org.uk> sig C542CD59 2011-01-05 Adam D. Barratt <a...@adam-barratt.org.uk> sig 95861109 2011-01-23 Ben Hutchings (DOB: 1977-01-11) sig 63C7CC90 2011-01-05 Simon McVittie <s...@pseudorandom.co.uk> sig 3 6294BE9B 2011-01-05 Debian CD signing key <debian...@lists.debian.org> sub 4096R/11CD9819 2011-01-05 sig 6294BE9B 2011-01-05 Debian CD signing key <debian...@lists.debian.org> That tells you that the listed people have signed key 0x6294BE9B, and that it is in fact the same key they think they signed. If your output matches, then you have a *valid* key. Now, whether or not the key is *trustworthy* is a bootstrapping problem, because if you don't know any of the signers personally, you can't know if their signatures can be trusted to verify the identity of the target key, In other words, there's nothing stopping me from labelling a random key with "Debian CD signing key" and getting some random signatures on it--the key would validate, but wouldn't be trustworthy. Over on debian-cd, Steve McIntyre confirmed that 6294BE9B is the right key, and that the people who signed it are the people who can vouch for the identity of the key. So, if you trust Steve then you can trust the key--that's what the web of trust model is all about: validating and trusting keys based on who you trust to vouch for the identity of a given key. If you're deeply interested in the underpinnings of the trust model, you can start with the key management section over at http://www.gnupg.org/gph/en/manual.html#MANAGEMENT. Hope that helps. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktiks15r4okjtejyamts_2qveo8g0+bapcw-8y...@mail.gmail.com
