Regarding whether keys used to sign debian-live releases are present
(or not) in debian-keyring.gpg or debian-role-keys.gpg :
On Mon, 11 Aug 2014, Francesco Ariis wrote:
On Sun, Aug 10, 2014 at 10:34:21PM -0400, david...@ling.ohio-state.edu wrote:
| $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign
| gpgv: armor: BEGIN PGP SIGNATURE
| gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
| :signature packet: algo 1, keyid DA87E80D6294BE9B
| version 4, created 1406210061, md5len 0, sigclass 0x00
| digest algo 8, begin of digest fc 43
| hashed subpkt 2 len 4 (sig created 2014-07-24)
| subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B)
| data: [4096 bits]
| gpgv: assuming signed data in `SHA512SUMS'
| gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B
| gpgv: Can't check signature: public key not found
This was not the outcome I was hoping for, but I am not sure what
to do next.
Hello Wes,
It seems the key ID 6294BE9B is found in
/usr/share/keyring/debian-role-keys.gpg [1]; .iso should verify with
that.
I was thinking of writing a three line paragraph to make the wiki
[2] more clear on the matter (i.e. provide the gpgv command with the
specific file to pass to --keyring), but after reading this:
Official role keys have gradually replaced the use of personal
keys belonging to developers. However, a decision was made not to
go back and re-sign all the old releases that were already signed
using the older keys.
I am unsure on whether Jessie and future releases will have their
.iso signed by a key from debian-keyring.gpg or
debian-role-keys.gpg. Can anyone shed light on the matter?
WRT debian-live, the thread below seems relevant.
https://lists.debian.org/debian-live/2014/04/msg00004.html
Whether it casts light or shade is not clear to me.
By the way, the key for checking the sig below seems to be missing
from both debian-keyring.gpg and debian-role-keys.gpg :
http://live.debian.net/cdimage/release/stable+nonfree/amd64/iso-hybrid/SHA512SUMS.sig
This, below, seems to be the key in question:
[from http://www.debian.org/CD/verify]
| To ensure that the checksums files themselves are correct, use GnuPG
| to verify them against the accompanying signature files
| (e.g. MD5SSUMS.sign). The keys used for these signatures are all in
| the Debian GPG keyring and the best way to check them is to use that
| keyring to validate via the web of trust. To make life easier for
| users, here are the fingerprints for the keys that have been used for
| releases in recent years (with some UIDs removed for clarity):
[snipped some fingerprints/ids]
| pub 4096R/A9B26DF5 2014-01-03
| Key fingerprint = 8A36 A2E8 91A5 C2A9 0DEB 7A8B 1239 00F2 A9B2 6DF5
| uid Live Systems Project <debian-l...@lists.debian.org>
| sub 4096R/D0125917 2014-01-03
[snipped some more fingerprints/ids]
I found this thread, which explains its absence from the keyring, for
a certain interpretation of the term explain:
https://lists.debian.org/debian-live/2014/03/msg00038.html
-wes
[1] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-role-keys-gpg
[2] http://www.debian.org/CD/verify
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/alpine.deb.2.02.1408121805280.16...@brutus.ling.ohio-state.edu
