Secure source for Fedora GPG key
Rich Lafferty
rich+rhl at lafferty.ca
Thu Nov 6 21:33:12 UTC 2003
On Thu, Nov 06, 2003 at 03:10:22PM -0600, Ian Pilcher <i.pilcher at comcast.net> wrote:
> The MD5SUM file for the Fedora ISOs is signed with the key from
> RPM-GPG-KEY-fedora. Is there a somewhat trustworthy source for this
> key (at least an SSL download for which I could check the host
> certificate). Without this, there's very little point in signing the
> MD5SUM file.
>From keyservers, of course -- that's how trust works in PGP. (There's
no reason to trust the filesystem behind an SSL webserver, after all;
yes, you're sure that the server you're talking to is the one you
expect, but you've no idea if the file you're retrieving contains
what it is meant to contain.)
$ gpg --import RPM-GPG-KEY-fedora
gpg: key 4F2A6FD2: public key imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --list-sigs 4F2A6FD2
pub 1024D/4F2A6FD2 2003-10-27 Fedora Project <fedora at redhat.com>
sig 3 4F2A6FD2 2003-10-27 Fedora Project <fedora at redhat.com>
sig 3 DB42A60E 2003-10-27 Red Hat, Inc <security at redhat.com>
sig 8DF56D05 2003-10-28 Fedora Linux (RPMS)
<security at fedora.us>
sub 1024g/FB939E34 2003-10-27
sig 4F2A6FD2 2003-10-27 Fedora Project <fedora at redhat.com>
Ok, so do I trust <security at redhat.com> or <security at fedora.us>? If
not,
$ gpg --recv-keys DB42A60E 8DF56D05
$ gpg --list-sigs DB42A60E 8DF56D05
and so on until I'm convinced of its trustworthiness. DB42A60E is
signed by 120 people, so there's a good chance that you'll get to
someone you trust relatively quickly.
-Rich
--
Rich Lafferty --------------+-----------------------------------------------
Ottawa, Ontario, Canada | Save the Pacific Northwest Tree Octopus!
http://www.lafferty.ca/ | http://zapatopi.net/treeoctopus.html
rich at lafferty.ca -----------+-----------------------------------------------
More information about the fedora-list
mailing list