< Previous

3. Verifying the archive signing key

If you want to be sure that the archive key that will be installed is the one you expect, not some trojan key, you should verify the key, as follows, before installing any packages from the archive. (There are, of course, other ways to perform this verification; do whatever you feel comfortable with. This step is optional if you have already decided to trust this repository.)

First, obtain the .deb package for cern-archive-keyring. (This step presumes that you have already added the necessary entries to sources.list and run apt-get update.)

aptitude download cern-archive-keyring

Unpack the .deb into a temporary directory on your filesystem, for instance:

dpkg -x cern-archive-keyring_2008.06.03_all.deb ./tmp

Import the GPG keyring shipped in the .deb into your GPG's list of known public keys:

gpg --import tmp/usr/share/keyrings/cern-archive-keyring.gpg

This operation will print a message like the following; please ensure that the key ID printed is in fact 4061544D.

gpg: key 4061544D: public key "CERN Debian Packages Archive (signing key) <kmccarty@debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

The fingerprint of this key can be obtained as follows, and should match the (partial) output shown below:

gpg --fingerprint 4061544D

Key fingerprint = 8E3F 1338 9401 FDF8 F79A 4FE2 F464 E3D8 4061 544D

You will want to see that this key is signed by a Debian Developer, specifically me. So obtain my public key from Debian's keyring server:

gpg --keyserver keyring.debian.org --recv-keys 4F83C751

The output of this command should look like the following:

gpg: requesting key 4F83C751 from hkp server keyring.debian.org
gpg: key 4F83C751: public key "Kevin B. McCarty <kmccarty@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

My key fingerprint is as follows:

gpg --fingerprint 4F83C751

Key fingerprint = 5AFC 1914 1A2F C632 2A85 AE9B 7D8C 4022 4F83 C751

Finally, ensure that the keyring in the package is signed by my public key:

gpg --list-sigs 4061544D

The highlighted text below is what needs to appear in the output:

pub   1024D/4061544D 2008-06-03
uid                  CERN Debian Packages Archive (signing key) <kmccarty@debian.org>
sig 3        4061544D 2008-06-03  CERN Debian Packages Archive (signing key) <kmccarty@debian.org>
sig          4F83C751 2008-06-03  Kevin B. McCarty <kmccarty@gmail.com>
sub   2048g/DD109F76 2008-06-03
sig          4061544D 2008-06-03  CERN Debian Packages Archive (signing key) <kmccarty@debian.org>

After verifying the keyring in the cern-archive-keyring package to your satisfaction, you might want to clean up your personal list of known public keys by removing my key and/or the archive signing key from it. (This has no effect on the set of archive signing keys known or trusted by APT.) You can do this via:

gpg --delete-key 4F83C751 4061544D

and entering "y" at both "Delete this key...?" prompts.

< Previous