On Sun, Jan 02, 2011 at 06:56:06PM +0100, Naja Melan wrote: > hi, > > Im trying to verify that the debian iso I downloaded has not been tampered > with by following the following faq entry: > > http://www.debian.org/CD/faq/#verify > > There are some things I don't understand yet. I have gotten as far as > downloading the checksum files, the iso and the signatures of the checksum > files. Now to verify the checksums I need the public key of the keypair used > to sign the checksum files. Im using gpa and downloaded that public key. So > far, all that has happened is that my problem has been pushed down the line, > because now I have a public key in my keyring that came over the internet > and I have no idea on how to verify that one. > > Could someone please tell me how I could do that? ( Assuming that all the > people that signed that key are not at hand here at my home, and so I could > not receive their public keys personally.)
You probably notices that other than the MD5 sums as mentioned on the page it also has SHA1, SHA256 and SHA512 files that are signed. The gpg key is also in the file /usr/share/keyrings/debian-role-keys.gpg which is in the package debian-keyring. But then you'd still have a chicken and egg problem getting that package I guess. I think it all comes down to trusting _something_. Everything should trace back to the gpg web of trust between the developers. And if you can't trust that there is no way for you to verify it. Kurt -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110102203908.ga19...@roeckx.be
