Dear all, I just had a quick conversation on the #gnewsense IRC channel about how to trust source or binary downloads from the gNewSense website.
My problem is that: 1. I'm not part of a GPG web of trust through which I can form a chain to the keys used to sign releases on the gNewSense website; and 2. the gNewSense website does not support SSL/TLS. In other words, neither of the standard mechanisms against MITM or similar tampering are available to me with respect to gNewSense. OK, so the next best thing is to download the gNewSense GPG keyring file gnewsense-keyring.gpg from somewhere that does have a "secure" connection ( https://savannah.nongnu.org/project/memberlist-gpgkeys.php?group=gnewsense ) and try to verify downloads with that. First steps: $ gpg --import gnewsense-keyring.gpg gpg: key DF4DA2F8: public key "Anthony LETELLIER <letellier.anth...@gmail.com>" imported gpg: key 27FCF12E: public key "Karl Goetz <k...@kgoetz.id.au>" imported gpg: key AA95C349: public key "Danny Clark <dcl...@fsf.org>" imported gpg: key 10E525F4: public key "Delyan Raychev (liberty4all) <a...@delqn.com>" imported gpg: key 47486962: public key "Jason Self <js...@gnu.org>" imported gpg: key C79A94CF: public key "Albino Biasutti Neto <bino...@binoanb.eti.br>" imported gpg: key B6AD4643: public key "rsiddharth (rsd) <rsiddha...@ninthfloor.org>" imported gpg: Total number processed: 7 gpg: imported: 7 (RSA: 2) gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u Well, alright. Now I download MD5SUMS.gpg from http://archive.gnewsense.org/gnewsense-three/gnewsense/dists/parkes/main/installer-mipsel/current/images/ and try to verify it: $ gpg --verify MD5SUMS.gpg gpg: Signature made Mon 5 Aug 21:09:22 2013 BST using DSA key ID BF119352 gpg: Can't check signature: public key not found Not so good. Anybody here able to help with this? If not, is there an ETA for the implementation of SSL/TLS on the gNewSense website; or a possibility the gNewSense project might start serving its files through Savannah instead of (or in addition to) directly from the gNewSense website, in order to benefit from Savannah's HTTPS? Many thanks, Sam _______________________________________________ gNewSense-users mailing list gNewSense-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/gnewsense-users