|
|
|
|
|
|
by tlikonen
3287 days ago
|
|
|
With files SHA512SUMS and SHA512SUMS.sign in the current directory the verifying can be as simple as gpg --auto-key-retrieve SHA512SUMS.sign
The key is retrieved from user's default keyring or keyservers. The usual keyserver pool (pool.sks-keyservers.net) has the Debian CD signing key. How we can trust that the key is the right one is another matter. It is signed by many Debian developers. |
|
|
Most distributions have signed checksum files, but also post those checksums in a HTTPS location. I, and I suspect most people, just check against that and call it good. AFAIK Debian don't have that, and between using GPG or thinking "F* it, I'll take my chances", I suspect many would choose the latter. I was trying to give people who's security conscious but not paranoid^W^Wlazy an option.