Verifying published files integrity and origin

Hi,

I'm back to FreeBSD after (too) many years, and may have missed something, please bear with me.

My question is: how may I verify (origin, integrity) a published file?

Case in point: I want to install FreeBSD 11.1. The announce points towards (https://www.freebsd.org/releases/11.1R/announce.html#availability) a set of PGP-signed files ( https://www.freebsd.org/releases/11.1R/signatures.html ), I downloaded https://www.freebsd.org/releases/11.1R/CHECKSUM.SHA512-FreeBSD-11.1-RELEASE-amd64-vm.asc, which is signed by 8D12403C2E6CAB086CF64DA3031458A5478FE293, but I cannot find the public key.

The long and short (478FE293) key IDs aren't on keyservers, nor in "The OpenPGP keys of the FreeBSD.org officers" ( https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pgpkeys.html ). According to informations posted in a thread dating 2014 ( https://lists.freebsd.org/pipermail/freebsd-stable/2014-September/080271.html ) this key was used to sign BETA-status files(?!)

My subquestion is: where may I obtain the 8D12403C2E6CAB086CF64DA3031458A5478FE293 public key?

Thank you!
 
I believe the problem is that 478FE293 is not an "actual key" (in the sense of being something you can easily find), but is instead a sub-key of A0B946A3.

That "actual key", A0B946A3, does appear in the "complete keyring" file, https://www.freebsd.org/doc/pgpkeyring.txt, but (as of 2019-02-16) the list of sub-keys in that file is stale, so you would have to import the entire thing, which might take quite a while, to find 478FE293.

I have updated your PR 222044 to request that the situation be documented more clearly.
 
Back
Top