Secure source for Fedora GPG key

Rich Lafferty rich+rhl at lafferty.ca
Thu Nov 6 21:33:12 UTC 2003


On Thu, Nov 06, 2003 at 03:10:22PM -0600, Ian Pilcher <i.pilcher at comcast.net> wrote:
> The MD5SUM file for the Fedora ISOs is signed with the key from
> RPM-GPG-KEY-fedora.  Is there a somewhat trustworthy source for this
> key (at least an SSL download for which I could check the host
> certificate).  Without this, there's very little point in signing the
> MD5SUM file.

>From keyservers, of course -- that's how trust works in PGP. (There's
no reason to trust the filesystem behind an SSL webserver, after all;
yes, you're sure that the server you're talking to is the one you
expect, but you've no idea if the file you're retrieving contains
what it is meant to contain.)

$ gpg --import RPM-GPG-KEY-fedora
gpg: key 4F2A6FD2: public key imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --list-sigs 4F2A6FD2        
pub  1024D/4F2A6FD2 2003-10-27 Fedora Project <fedora at redhat.com>
sig 3       4F2A6FD2 2003-10-27   Fedora Project <fedora at redhat.com>
sig 3       DB42A60E 2003-10-27   Red Hat, Inc <security at redhat.com>
sig         8DF56D05 2003-10-28   Fedora Linux (RPMS)
<security at fedora.us>
sub  1024g/FB939E34 2003-10-27
sig         4F2A6FD2 2003-10-27   Fedora Project <fedora at redhat.com>

Ok, so do I trust <security at redhat.com> or <security at fedora.us>? If
not,

$ gpg --recv-keys DB42A60E 8DF56D05
$ gpg --list-sigs DB42A60E 8DF56D05

and so on until I'm convinced of its trustworthiness. DB42A60E is
signed by 120 people, so there's a good chance that you'll get to
someone you trust relatively quickly.

  -Rich

-- 
Rich Lafferty --------------+-----------------------------------------------
 Ottawa, Ontario, Canada    |  Save the Pacific Northwest Tree Octopus!
 http://www.lafferty.ca/    |    http://zapatopi.net/treeoctopus.html
rich at lafferty.ca -----------+-----------------------------------------------





More information about the fedora-list mailing list