Hi, cybertat...@gmail.com wrote: > 2.2. I have done then: gpg --keyserver keyring.debian.org --verify > SHA512SUMS.sign SHA512SUMS > 2.3. Then I have got next info: Signed was made in 30 june 2024 > And RSA key: DF9B9C49EAA9298432589D76DA87E80D6294BE9B > I have compared 2011 's key and mine and they are the same.
The key string looks good, indeed. > But is it a good idea to do that? Or do I need to download the open key and > then compare them? It would suffice for me. If you know more ways to verify that the signature belongs to Debian, then apply them. Just to be sure. > And is verification with SHA512SUMS.sign and SHA512SUMS enough? Should I do > the same actions with SHA216SUMS.sign and SHA216SUMS? It is general belief that faking a SHA-512 checksum is not feasible, currently. Faking both, SHA-512 and SHA-256 would be even more difficult. So check both and raise loud alarm if one matches and the other does not. Have a nice day :) Thomas
