And can you explain to me what is it, please? * $ alias | grep sha alias sha1='/usr/bin/openssl dgst -sha1 ' alias sha256='/usr/bin/openssl dgst -sha256 ' alias sha512='/usr/bin/openssl dgst -sha512 '
On Thu, Jul 11, 2024 at 4:47 PM 타토카 <cybertat...@gmail.com> wrote: > Why 64 signatures not checked and no ultimately trusted keys found here: > $ gpg --import key-DA87E80D6294BE9B.txt > gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys > gpg: key DA87E80D6294BE9B: public key "Debian CD signing key > <debian...@lists.debian.org>" imported > gpg: Total number processed: 1 > gpg: imported: 1 > gpg: no ultimately trusted keys found > > And this: > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > > This is weird. Why Fedora does not have this, but Debian does. > > And can you explain to me what is it, please? > > On Thu, Jul 11, 2024 at 4:00 AM Lee <ler...@gmail.com> wrote: > >> On Wed, Jul 10, 2024 at 6:07 PM 타토카 <cybertat...@gmail.com> wrote: >> > >> > Hello, dear Debian Community. >> > >> > I just wanted to check a key with GPG. >> > >> > I have found this on https://www.debian.org/CD/verify: >> > >> > pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC] >> > >> > Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B >> > >> > uid Debian CD signing key <debian...@lists.debian.org> >> > >> > >> > How can I download this key for GPG checking? >> >> Click on the link, that takes you to >> https://www.debian.org/CD/key-DA87E80D6294BE9B.txt >> and save the file. Then gpg --import it >> >> $ gpg --import key-DA87E80D6294BE9B.txt >> gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys >> gpg: key DA87E80D6294BE9B: public key "Debian CD signing key >> <debian...@lists.debian.org>" imported >> gpg: Total number processed: 1 >> gpg: imported: 1 >> gpg: no ultimately trusted keys found >> >> hrmmm... 64 signatures not checked due to missing keys due to missing >> keys doesn't look good, but you've got the key now. >> >> I checked by going to >> http://mirror.us.leaseweb.net/debian-cd/12.6.0/amd64/iso-dvd/ and got >> the SHA512SUMS and SHA512SUMS.sign files. >> Verify them by >> >> $ gpg --verify SHA512SUMS.sign SHA512SUMS >> gpg: Signature made Sat Jun 29 16:50:24 2024 EDT >> gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B >> gpg: Good signature from "Debian CD signing key >> <debian...@lists.debian.org>" [unknown] >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 >> BE9B >> >> so the contents of SHA512SUMS are trustworthy. Or as trustworthy as I >> can verify.. somebody else hopefully knows how to get all the missing >> keys and mark the DA87E80D6294BE9B key as trusted. >> >> and for whatever it's worth, I use these aliases: >> $ alias | grep sha >> alias sha1='/usr/bin/openssl dgst -sha1 ' >> alias sha256='/usr/bin/openssl dgst -sha256 ' >> alias sha512='/usr/bin/openssl dgst -sha512 ' >> >> Regards, >> Lee >> >
