In the installation procedure of Gentoo, there is a step to check signature of the downloaded iso file. To do so, we first need to download the set of keys from a key server:
$ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-keys 0xBB572E0E2D182910
However, when I first run this command, I got the following error:
$ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-keys 0xBB572E0E2D182910 gpg: requesting key 2D182910 from hkps server hkps.pool.sks-keyservers.net gpgkeys: HTTP fetch error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
If I correctly understand this error, that means gpg can’t trust the CA that emitted the certificate of the key server. To fix this issue, I need to add the certificate of the CA to my list of trusted certificates.
The question is: how can I get this certificate in a safely manner? By safe, I mean the certificate can’t be compromised by a man-in-the-middle attack, for instance.
Using openssl, I can see the certificate of the key server is signed by
$ openssl s_client -showcerts -connect hkps.pool.sks-keyservers.net:443 CONNECTED(00000005) depth=1 C = NO, ST = Oslo, O = sks-keyservers.net CA, CN = sks-keyservers.net CA verify error:num=19:self signed certificate in certificate chain
But how can I trust the certificate given by this command? How can I be sure no attacker falsified the anwser?