Verify archive GPG signatures
Scott
geekboy at angrykeyboarder.com
Thu Nov 16 21:15:06 UTC 2006
Fredrik Ljunggren spake thusly on 11/13/2006 06:56 AM:
> I was concidering downloading a CD-image of Ubuntu Dapper from a public
> ftp archive (mirror), and hence I'd very much like to verify the GPG
> signature of the md5 checksum provided.
>
> However, I havn't been able to verify that the key that has made the
> signature is indeed the "official" Ubuntu signature. In other words, I
> havn't been able to verify the fingerprint of the key that made the
> signature.
>
> Shouldn't this fingerprint be posted "all over the place"? Perhaps in
> the Wiki, allowing me to put atleast some confidence in the belief that
> what I downloaded was indeed the offical CD-image.
>
> And no, I don't trust the key servers. Anyone can put keys there.
*shrug*
I never bother verifying the GPG signatures on MD5SUMS. If the mirror
I'm using is an official mirror or on a site I trust, I throw caution to
the wind.
I've yet to have a problem.
--
Scott
http://angrykeyboarder.com
© 2006 angrykeyboarder™ & Elmer Fudd. All Wights Wesewved
More information about the ubuntu-users
mailing list