verifying archive signature keys?

Hi,

just a question because someone had asked me for help. The problem was that apt-get update had complained about not beeing able to verify signatures due to a missing pgp key.

Was easy to tell to do
gpg --recv-key A70DAF536070D3A1
gpg -a --export A70DAF536070D3A1 | sudo apt-key add -

but: How would one verify that this key is the correct debian key (and not, e.g. the key used by an intruder to fake packages and simply uploaded to public key repositories)?

gpg --check-sigs A70DAF536070D3A1

lists some signatures of several people, but none that I personally know, I don't even know whether these people actually exist.

So what's the official way to verify debian archives?

regards
Hadmut

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek