Securely downloading Ubuntu

Fabian Rodriguez magicfab at
Tue Jan 29 03:51:49 UTC 2008

Hash: RIPEMD160

Neal McBurnett wrote:
| That ftpmaster key is already on installed systems, right?  I would
| think we could preinstall system keyrings and give instructions that
| would be based on that.  Do we not ship the <cdimage at> key?
GnuPG's local keyrings are created when it's first invoked, so they 
should actually be empty. I personally overwrite the local keyrings or 
use an external USB key on my laptop, depending on the kind of install 
I've had in the past. Adding that key to a default install would 
probably require setting up an additional keyring with it and changing 
the default gpg.conf accordingly.

Another problem is the download page should actually link to:

I checked that page and added a few links about the web of trust and the 
warning you mention.

Although the cdimage at (0xFBB75451) key is not in the "strong 
set" and does not show up in the Keyanalyze reports, Colin Watson's and 
Martin Pool's (which both sign it) do. In my personal case it's enough 
to trust that key:

Both Colin and Martin are Ubuntu core developers:


Version: GnuPG v1.4.6 (GNU/Linux)
Comment: PGP/Mime available upon request
Comment: Using GnuPG with Mozilla -


More information about the Ubuntu-devel-discuss mailing list