Hosting Provided By

Re: verifying archive signature keys?

From: Marcin Owsiany <porridge(at)debian.org>
Date: Wed Aug 15 2007 - 07:17:10 EDT

On Wed, Aug 15, 2007 at 10:54:02AM +0200, Hadmut Danisch wrote:
> Hi,
>
> just a question because someone had asked me for help. The problem was
> that apt-get update had complained about not beeing able to verify
> signatures due to a missing pgp key.
>
> Was easy to tell to do
> gpg --recv-key A70DAF536070D3A1
> gpg -a --export A70DAF536070D3A1 | sudo apt-key add -
>
>
>
> but: How would one verify that this key is the correct debian
> key (and not, e.g. the key used by an intruder to fake packages and
> simply uploaded to public key repositories)?
>
>
> gpg --check-sigs A70DAF536070D3A1
>
> lists some signatures of several people, but none that I personally
> know, I don't even know whether these people actually exist.
>
> So what's the official way to verify debian archives?

I'm not sure if it's official, but I've seen a section on that topic on debian wiki IIRC.

-- 
Marcin Owsiany <
porridge(at)debian.org>             
http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Wed Aug 15 07:18:19 2007

This message: [ Message body ]
Next message: Martin Zobel-Helas: "Re: verifying archive signature keys?"
Previous message: Hadmut Danisch: "verifying archive signature keys?"
In reply to: Hadmut Danisch: "verifying archive signature keys?"
Next in thread: Martin Zobel-Helas: "Re: verifying archive signature keys?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 07 2007 - 07:52:42 EDT