Easing into the practical side

Good to know: Base system and packages are treated separately (*NM.tgz sets vs packages), binary upgrades encouraged. You can build from source if you like, of course

Starting with the 5.5 release, base sets, packages and patches are signed. The signing keys can be found on the release page, printed on the official CDs and here:

Base sets: 5.5 base signify pubkey: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h

Firmware: 5.5 fw signify pubkey: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO

Packages: 5.5 pkg signify pubkey: RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5

A new release means a new set of keys. You can fetch it from the mirrors before installing or upgrading.

And if you're upgrading to 5.5, your system won't have them yet. That's fixable.