Hi, Pier Antonio Corradini wrote: > gpg: Firma valida da "Debian CD signing key <debian...@lists.debian.org>"
Jay ! \o/ > gpg: ATTENZIONE: questa chiave non รจ certificata con una firma fidata! > gpg: Non ci sono indicazioni che la firma appartenga al proprietario. Regrettably gpg still assumes a web of trust to be normal, woven by people who meet in person and founded on certifications by the most reputed members of the community: Ada Lovelace, Alan Turing, Dennis M. Ritchie. But they are all dead ... and i don't feel so well either. So the keys have no VIP signatures. Their armor is the fact that their fingerprints get mentioned in many e-mails. :)) > Impronta digitale della chiave primaria: DF9B 9C49 EAA9 2984 3258 9D76 DA87 > E80D 6294 BE9B This last line is the important information. It has to match one of the three keys which are published at https://www.debian.org/CD/verify In our case it's the midlle one: pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC] Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B uid Debian CD signing key <debian...@lists.debian.org> > Conclusion: I am really very perplexed by the outcome of this authenticity > check of the file debian-12.10.0-amd64-netinst.iso: all these commands and > attempts to arrive at what? To the sentence "WARNING: this key is not > certified with a trusted signature!There is no indication that the signature > belongs to the owner."???? Indeed. You have to derive your trust from the hope that the fingerprint cannot be forged, so that no fake key can sign the SHA512SUMS file by a SHA512SUMS.sign file while bearing that fingerprint. > Or is there still something to clarify regarding the selection of the key? No. You did it perfectly right after you surpassed the obstacle of invisible alterations to the SHA512SUM* files. I agree that the procedure is ugly and appears too complicated. But it works with widely available tools and is flexible enough to deal with peculiarities of media types when the ISO is already on a bootable medium. See this wiki page (which is too long, of course): https://wiki.debian.org/VerifyISOImage It might be helpful to have specialized verifier programs which hide the dirty details. But then you'd have to trust these programs additionally to the other involved parties. So they would need to be authenticated themselves by gpg --verify or alike. If i'd knew a good solution then i'd post it to debian...@lists.debian.org and be obstinate until i get a good answer. But as it is, i cannot do more than offer human help and above wiki page. Have a nice day :) Thomas
