On Mon, Mar 15, 2004 at 07:37:24PM -0800, Number Six wrote: > > gpg --keyserver pgp.mit.edu --send-key [EMAIL PROTECTED] > > Okay, I did that. Is there a canonical-Debian way to point the world > there to verify it? So they'll actually trust the .dsc? > > Or do I just do that in an out-of-band way such as the Readme or > Changelog?
If there's a signature on something, usually the first place someone will look will be the key network (and keyring.debian.org, for Debian stuff, if they're familiar with it). So now your key's there, that's that sorted. But nobody knows you from a bar of soap. We don't have any trust that the key that signed those files belongs to the person it says it does. So you need to get identity verifying signatures added to your key. Until then, the key is effectively useless for verification purposes, except to say that a package that I download today is signed by the same key it was whenever I last downloaded one of your packages. That is of limited usefulness. Have a google around for key signing and key signing parties, and get yourself into the web of trust. That's the number 1 best way to "bootstrap yourself in". - Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
