I have tried to verify the Kali linux pgp key which I obtained from https://keyserver.ubuntu.com and also, hkps://keys.openpgp.org. In both cases I get this:
[user@disp434 ~]$ gpg2 --fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
pub rsa4096 2012-03-05 [SC] [expires: 2027-02-04]
44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid [ unknown] Kali Linux Repository devel@kali.org
sub rsa4096 2012-03-05 [E] [expires: 2027-02-04]
but the Kali linux website Download Kali Linux Images Securely | Kali Linux Documentation
has this:
$ gpg --fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
pub rsa4096/0xED444FF07D8D0BF6 2012-03-05 [SC] [expires: 2023-01-16]
uid [ unknown] Kali Linux Repository <devel@kali.org>
sub rsa4096/0xA8373E18FC0D0DCB 2012-03-05 [E] [expires: 2023-01-16]
The output I got is missing the ‘0xED444…’ and the ‘0xA837…’ after the ‘rsa4096’ in the top and bottom lines.
So the match is far from exact.
Am I getting a compromised key ?
Thanks,
flc