Verify archive GPG signatures

Scott geekboy at
Thu Nov 16 21:15:06 UTC 2006

Fredrik Ljunggren spake thusly on 11/13/2006 06:56 AM:
> I was concidering downloading a CD-image of Ubuntu Dapper from a public
> ftp archive (mirror), and hence I'd very much like to verify the GPG
> signature of the md5 checksum provided.
> However, I havn't been able to verify that the key that has made the
> signature is indeed the "official" Ubuntu signature. In other words, I
> havn't been able to verify the fingerprint of the key that made the
> signature.
> Shouldn't this fingerprint be posted "all over the place"? Perhaps in
> the Wiki, allowing me to put atleast some confidence in the belief that
> what I downloaded was indeed the offical CD-image.
> And no, I don't trust the key servers. Anyone can put keys there.


I never bother verifying the GPG signatures on MD5SUMS.  If the mirror
I'm using is an official mirror or on a site I trust, I throw caution to
the wind.

I've yet to have a problem.

© 2006 angrykeyboarder™ & Elmer Fudd. All Wights Wesewved

More information about the ubuntu-users mailing list