Andrew, your method leaves you and your system wide open to MITM attacks. All I need to do is poison your DNS cache at the right moment, and you’ll trust my key (apologies to ari for misattribution in a previous edition of this post; thanks to dato for letting me know).
I strongly suggest going via gnupg and verifying
the fingerprint as well as the signatures on the key. You can use
this
page to help you verify these data (although the current lack
of SSL doesn’t really add a benefit, I am working on it).
Here’s what I usually do:
cirrus:~> GET http://ftp-master.debian.org/ziyi_key_2006.asc | gpg --import
gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006)
<ftpmaster<@t>debian.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
cirrus:~> gpg --check-sigs --fingerprint 2D230C5F
pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
Key fingerprint = 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F
uid Debian Archive Automatic Signing Key (2006) <ftpmaster<@t>debian.org>
sig!3 2D230C5F 2006-01-03 Debian Archive Automatic Signing Key
(2006) <ftpmaster<@t>debian.org>
sig! 2A4E3EAA 2006-01-03 Anthony Towns <aj<@t>azure.humbug.org.au>
sig! 4F368D5D 2006-01-03 Debian Archive Automatic Signing Key
(2005) <ftpmaster<@t>debian.org>
sig! 29982E5A 2006-01-04 Steve Langasek <vorlon<@t>dodds.net>
sig! FD6645AB 2006-01-04 Ryan Murray <rmurray<@t>cyberhqz.com>
sig! AB2A91F5 2006-01-04 James Troup <james<@t>nocrew.org>
and then I check
the trust path from my key to at least one of the keys used to
sign the archive key. Only if I find an acceptable path will I then
tell APT to trust the key:
cirrus:~> gpg --export -a 2D230C5F | sudo apt-key add -
Ok
Note that the key is signed with the previous archive key, so theoretically you can just build on your previous trust.
Until Debian finally gets a proper PKI in place, this seems like the best way to do it.
