On Wed, Jul 10, 2024 at 6:07 PM 타토카 <cybertat...@gmail.com> wrote: > > Hello, dear Debian Community. > > I just wanted to check a key with GPG. > > I have found this on https://www.debian.org/CD/verify: > > pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC] > > Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B > > uid Debian CD signing key <debian...@lists.debian.org> > > > How can I download this key for GPG checking?
Click on the link, that takes you to https://www.debian.org/CD/key-DA87E80D6294BE9B.txt and save the file. Then gpg --import it $ gpg --import key-DA87E80D6294BE9B.txt gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <debian...@lists.debian.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found hrmmm... 64 signatures not checked due to missing keys due to missing keys doesn't look good, but you've got the key now. I checked by going to http://mirror.us.leaseweb.net/debian-cd/12.6.0/amd64/iso-dvd/ and got the SHA512SUMS and SHA512SUMS.sign files. Verify them by $ gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made Sat Jun 29 16:50:24 2024 EDT gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B so the contents of SHA512SUMS are trustworthy. Or as trustworthy as I can verify.. somebody else hopefully knows how to get all the missing keys and mark the DA87E80D6294BE9B key as trusted. and for whatever it's worth, I use these aliases: $ alias | grep sha alias sha1='/usr/bin/openssl dgst -sha1 ' alias sha256='/usr/bin/openssl dgst -sha256 ' alias sha512='/usr/bin/openssl dgst -sha512 ' Regards, Lee
