On Thu, Nov 06, 2003 at 03:10:22PM -0600, Ian Pilcher <i.pilcher@xxxxxxxxxxx> wrote: > The MD5SUM file for the Fedora ISOs is signed with the key from > RPM-GPG-KEY-fedora. Is there a somewhat trustworthy source for this > key (at least an SSL download for which I could check the host > certificate). Without this, there's very little point in signing the > MD5SUM file. >From keyservers, of course -- that's how trust works in PGP. (There's no reason to trust the filesystem behind an SSL webserver, after all; yes, you're sure that the server you're talking to is the one you expect, but you've no idea if the file you're retrieving contains what it is meant to contain.) $ gpg --import RPM-GPG-KEY-fedora gpg: key 4F2A6FD2: public key imported gpg: Total number processed: 1 gpg: imported: 1 $ gpg --list-sigs 4F2A6FD2 pub 1024D/4F2A6FD2 2003-10-27 Fedora Project <fedora@xxxxxxxxxx> sig 3 4F2A6FD2 2003-10-27 Fedora Project <fedora@xxxxxxxxxx> sig 3 DB42A60E 2003-10-27 Red Hat, Inc <security@xxxxxxxxxx> sig 8DF56D05 2003-10-28 Fedora Linux (RPMS) <security@xxxxxxxxx> sub 1024g/FB939E34 2003-10-27 sig 4F2A6FD2 2003-10-27 Fedora Project <fedora@xxxxxxxxxx> Ok, so do I trust <security@xxxxxxxxxx> or <security@xxxxxxxxx>? If not, $ gpg --recv-keys DB42A60E 8DF56D05 $ gpg --list-sigs DB42A60E 8DF56D05 and so on until I'm convinced of its trustworthiness. DB42A60E is signed by 120 people, so there's a good chance that you'll get to someone you trust relatively quickly. -Rich -- Rich Lafferty --------------+----------------------------------------------- Ottawa, Ontario, Canada | Save the Pacific Northwest Tree Octopus! http://www.lafferty.ca/ | http://zapatopi.net/treeoctopus.html rich@xxxxxxxxxxx -----------+-----------------------------------------------
