Hi, yesterday I tried to verify the Debian DVD image that I downloaded.
I did not want to rely on the fingerprints for the public keys used to sign the file with the hashes, because I think that I can not fully trust the information shown to me on a web page when it is encrypted with a Let's Encrypt certificate. So I went for the Web of Trust. As I did not use PGP/GPG for many years I needed some time to learn and find out that GPG is not capable of automatically finding the path between a public key used to verify a signature and the trusted public keys that are already in my keyring. In my case these trusted keys are the two keys from the "Kryptokampagne" of c't that I downloaded and checked using the fingerprints published in the magazine. I was nearly there to give up when I finally found https://pgp.cs.uu.nl a web page offering exactly what I needed: Giving it two keys it showed me that I need to add only 1 additional key to my keyring in order to complete the Web of Trust and make one of the keys used to sign the Debian CD key valid. I propose that you add at least the information about this web page to the verification page. Further instructions how to use GPG to verify a signature, how to find out and add needed public keys to the keyring, how to actually know that a verification is successful (the messages of GPG are not self-explanatory and the man page was unclear too) are certainly welcome too. You could even go so far as to supply a keyring that allows a successful verification after checking and trusting certain "root" keys like the ones from c't. Thanks a lot. Best Regards Martin Glaser -- Martin Glaser, Heiterwanger Str. 52, D-81373 München
