> 3. Examine the signatures (E.g. gpg --list-sigs 6A93B34E). Do you trust anybody in that list to have verified the ownership of the keys?
Well what if I don't know if I can trust them. Also I couldn't possibly verify them in person so I need to recursively walk through the signing keys to find a trusted signature. Isn't there an easy cli command for this? All I could find are online path finders.
Easy it's not, but since you trust the debian keys already, you could import keys from the debian-keyring - I'm sure there's a path from those to the putty maintainers'. Here's a somewhat detailed description I just found, for how to do such a thing https://tails.boum.org/doc/get/trusting_tails_signing_key/in...
Well what if I don't know if I can trust them. Also I couldn't possibly verify them in person so I need to recursively walk through the signing keys to find a trusted signature. Isn't there an easy cli command for this? All I could find are online path finders.