I download three files (an iso, a checkusm and signature file) from
http://cdimage.debian.org/debian-cd/...64/iso-hybrid/
This location is not a https type so not as secure as I might wish.
I checksum the iso and it matches the downloaded entries but that does not prove the source.
I verify the iso with the signature:
Code:
gpg --verify SHA512SUMS.sign debian-live-7.2-amd64-xfce-desktop.iso
but that does not prove the source either.
I match the output
Code:
gpg: Signature made Mon 14 Oct 2013 05:05:31 BST using RSA key ID AD11CF6A
against
https://www.debian.org/CD/verify
but that just verifies the end of the fingerprint, not the whole fingerprint.
So what more can I do to check things properly?
All my attempts to do more fail, like:
Code:
gpg --keyserver keyring.debian.org --recv-keys 0xAD11CF6A
gpg: requesting key AD11CF6A from hkp server keyring.debian.org
gpgkeys: key AD11CF6A not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
Thanks
Jacek