Verify archive GPG signatures
Fredrik Ljunggren
fredrik at sudo.se
Mon Nov 13 13:56:28 UTC 2006
I was concidering downloading a CD-image of Ubuntu Dapper from a public
ftp archive (mirror), and hence I'd very much like to verify the GPG
signature of the md5 checksum provided.
However, I havn't been able to verify that the key that has made the
signature is indeed the "official" Ubuntu signature. In other words, I
havn't been able to verify the fingerprint of the key that made the
signature.
Shouldn't this fingerprint be posted "all over the place"? Perhaps in
the Wiki, allowing me to put atleast some confidence in the belief that
what I downloaded was indeed the offical CD-image.
And no, I don't trust the key servers. Anyone can put keys there.
More information about the ubuntu-users
mailing list