Tino's questions

我正在运行 Devuan Jessie。我想从头开始安装另一个 Devuan Ascii。所以我下载了：

• https://files.devuan.org/devuan_ascii/installer-iso/devuan_ascii_2.0.0_amd64_netinst.iso
• https://files.devuan.org/devuan_ascii/installer-iso/SHA256SUMS
• https://files.devuan.org/devuan_ascii/installer-iso/SHA256SUMS.asc
• https://files.devuan.org/devuan_ascii/devuan-devs.gpg
  • 更新：现在可在https://files.devuan.org/devuan-devs.gpg

但我发现没有办法进行身份验证devuan-devs.gpg。

其他发行版（如 Debian 或 Ubuntu 或类似发行版）允许我从现有的先前版本验证 ISO。

但是对于Devuan，我没有找到任何办法：

tino@ts:~/ISO/devuan_ascii-2.0.0$ gpg --verify SHA256SUMS.asc
gpg: assuming signed data in `SHA256SUMS'
gpg: Signature made Wed 06 Jun 2018 08:55:55 PM CEST using DSA key ID 0B5F062F
gpg: Can't check signature: public key not found
tino@ts:~/ISO/devuan_ascii-2.0.0$ gpg --no-default-keyring --keyring /usr/share/keyrings/devuan-archive-keyring.gpg --verify SHA256SUMS.asc
gpg: assuming signed data in `SHA256SUMS'
gpg: Signature made Wed 06 Jun 2018 08:55:55 PM CEST using DSA key ID 0B5F062F
gpg: Can't check signature: public key not found
tino@ts:~/ISO/devuan_ascii-2.0.0$ gpg --no-default-keyring --keyring /usr/share/keyrings/devuan-keyring.gpg --verify SHA256SUMS.asc
gpg: assuming signed data in `SHA256SUMS'
gpg: Signature made Wed 06 Jun 2018 08:55:55 PM CEST using DSA key ID 0B5F062F
gpg: Can't check signature: public key not found

tino@ts:~/ISO/devuan_ascii-2.0.0$ gpg --keyring ../devuan-devs.gpg --verify SHA256SUMS.asc
gpg: assuming signed data in `SHA256SUMS'
gpg: Signature made Wed 06 Jun 2018 08:55:55 PM CEST using DSA key ID 0B5F062F
gpg: Good signature from "Vincenzo (KatolaZ) Nicosia <[email protected]>"
gpg:                 aka "Vincenzo Nicosia (KatolaZ) <[email protected]>"
gpg:                 aka "Vincenzo Nicosia (KatolaZ) <[email protected]>"
gpg:                 aka "KatolaZ <[email protected]>"
gpg:                 aka "Enzo Nicosia <[email protected]>"
gpg:                 aka "Enzo Nicosia -- KatolaZ <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8E59 D6AA 445E FDB4 A153  3D5A 5F20 B3AE 0B5F 062F

由于“钥匙未经认证”，没有迹象表明钥匙不是假的。 如何修复这条破碎的信任链？

https://devuan.org/os/documentation/dev1fanboy/general-information也没有解决这个谜。

笔记：

devuan-devs.gpg大概不是假的。然而，这种假设并没有帮助。必须有某种方法来确保它不是假的。最初的母鸡问题已经解决了，因为 Devuan (Jessie) 已经在我身边跑了。

肯定有比将 Jessie 升级到 Ascii 更好的方法来验证 Ascii 的 ISO。正确的？