Creating a multimedia template

I am following the directions at this page:

But I am stuck at the first step for importing the public key for Spotify.
The recommendation is to check the fingerprint(?) on different keyservers to ensure that the public key is correct. But it is not clear how to do this.

I run this step:

[user@t-multimedia ~]$ gpg --keyid-format long --with-fingerprint spotify.pubkey 

I get exactly as they get:

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096/D1742AD60D811D58 2020-09-08 [SC] [expires: 2021-12-02]
  Key fingerprint = 8FD3 D9A8 D380 0305 A9FF  F259 D174 2AD6 0D81 1D58
uid                           Spotify Public Repository Signing Key <>

Should I trust the fingerprint - it is not clear how to check the fingerprint at other keyservers (which ones would have the Spotify pub key?)

I have reviewed several posts like this:

How do I verify that I have found the correct public key ?


You can search, download and compare the keys from these keyservers as well:

This page explains authenticating a PGP key’s fingerprint out-of-band in the context of authenticating the Qubes Master Signing Key:

1 Like

Thanks. I found the public key/fngerprints on those two websites.

A follow up question:
The next step is to add the spotify repo url to the sources.list.d folder.
I notice the string is “”, not “https”.

The sources.list contain https urls for debian repo.

So i tried updating packages with https and i got this:
Certificate verification failed: The certificate is not trusted.

If I go to on my browser, it says SSL _ERROR_BAD_CERT.
This certificate is only valid for, *

Having a http site in the sources.list sounds like a no no. Since I will need to update the packages from time to time.


It turns out it is better to have https, for the additional privacy layer on top of apt’s ability to verify the package.