Skip to main content
Unix & Linux

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

4
  • 1
    Can you elaborate the command gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 6294BE9B . How can hkp://pool.sks-keyservers.net be trusted when it is not mentioned by debian? Commented Dec 9, 2015 at 17:26
  • 1
    I used gpg --keyserver keyring.debian.org --recv-keys 6294BE9B and it imported the key. Fingerprints matched with the ones provided by debian. And I successfully verified the MD5SUMS file. Thank you. Commented Dec 9, 2015 at 18:28
  • The documentation is unclear because in general it's unclear how to trust PGP keys (of people you don't already know). Checking fingerprints against debian.org/CD/verify (note encrypted HTTPS) is a good idea. You can also try --keyserver hkps://keyring.debian.org, to download the key using HTTPS. On my Fedora 25 system, GPG verifies this connection using system HTTPS certificate authorities. Sadly, Certificate Authorities are far from perfect. Commented Jan 9, 2017 at 11:23
  • 1
    When you have a debian system, you can install debian-keyring, and use gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg Commented Jan 9, 2017 at 11:24