Verify archive GPG signatures

Fredrik Ljunggren fredrik at
Mon Nov 13 13:56:28 UTC 2006

I was concidering downloading a CD-image of Ubuntu Dapper from a public
ftp archive (mirror), and hence I'd very much like to verify the GPG
signature of the md5 checksum provided.

However, I havn't been able to verify that the key that has made the
signature is indeed the "official" Ubuntu signature. In other words, I
havn't been able to verify the fingerprint of the key that made the

Shouldn't this fingerprint be posted "all over the place"? Perhaps in
the Wiki, allowing me to put atleast some confidence in the belief that
what I downloaded was indeed the offical CD-image.

And no, I don't trust the key servers. Anyone can put keys there.

More information about the ubuntu-users mailing list