|
|
|
|
|
|
by 286c8cb04bda
4123 days ago
|
|
|
> Though they provide RSA and DSA signatures how would I verify the signatures themselves? Ideally, it goes something like this -- 1. Start with the master keys. Download them from their website & import them into your keyring. 2. Fetch signatures for those keys from some key servers. (E.g. gpg --recv-keys 6A93B34E). 3. Examine the signatures (E.g. gpg --list-sigs 6A93B34E). Do you trust anybody in that list to have verified the ownership of the keys? If "yes", then import the release keys and verify that _they_ have been signed by the master keys. You can use the release keys to verify the downloaded binary. If "no", then you might recurse down those keys to see if you know anyone who signed any of _them_. At this point, you'll need to consider very carefully what your trust policy is going to be. |
|
|
Well what if I don't know if I can trust them. Also I couldn't possibly verify them in person so I need to recursively walk through the signing keys to find a trusted signature. Isn't there an easy cli command for this? All I could find are online path finders.