Florian Kulzer wrote: [...] > > You have to tell gpg which key's signatures it should check. If you > really want to know what is going on then you should first look at the > list of signatures for the backports key: > > $ gpg --keyring /usr/share/keyrings/debian-backports-keyring.gpg --list-sig > 16BA136C > pub 1024D/16BA136C 2005-08-21 > uid Backports.org Archive Key > sig 7E7B8AC9 2005-11-20 [User ID not found] > sig 657BF03D 2006-05-27 [User ID not found] > sig 3 16BA136C 2005-08-21 Backports.org Archive Key > sig 3 16BA136C 2005-08-21 Backports.org Archive Key > sub 2048g/5B82CECE 2005-08-21 > sig 16BA136C 2005-08-21 Backports.org Archive Key > > You see that the key has been signed with two other keys, 7E7B8AC9 and > 657BF03D. These keys are not included in debian-backports-keyring.gpg > and they are also not on my user's default keyring, therefore gpg cannot > provide any information besides the key IDs. If you replace "--list-sig" > with "--check-sig" in the above command you will get "2 signatures not > checked due to missing keys". However, if you tell gpg to include the > keyring from the debian-keyring package, you can verify that one of the > signatures was made by a Debian developer: > > $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --keyring > /usr/share/keyrings/debian-backports-keyring.gpg --check-sig 16BA136C > pub 1024D/16BA136C 2005-08-21 > uid Backports.org Archive Key > sig! 7E7B8AC9 2005-11-20 Joerg Jaspert > sig!3 16BA136C 2005-08-21 Backports.org Archive Key > sig!3 16BA136C 2005-08-21 Backports.org Archive Key > sub 2048g/5B82CECE 2005-08-21 > sig! 16BA136C 2005-08-21 Backports.org Archive Key > [..]
Thanks, Florian. I suppose that you can check that Joerg Jaspert is a Debian developer by checking the Debian developer database [1]. [1] http://db.debian.org/ -- Chris. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
