On Wed, May 09, 2001 at 12:28:33PM +0700, Oki DZ wrote: > Hi, > > Recently I tried to verify the source from www.linux.org, but I had the > following: > [EMAIL PROTECTED]:~$ gpg --verify linux-2.4.4.tar.bz2.sign linux-2.4.4.tar.bz2 > gpg: Signature made Sat Apr 28 08:48:08 2001 JAVT using DSA key ID > 517D0F0E > gpg: Good signature from "Linux Kernel Archives Verification Key > <[EMAIL PROTECTED]>" > Could not find a valid trust path to the key. Let's see whether we > can assign some missing owner trust values. > > No path leading to one of our keys found. > > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > gpg: Fingerprint: C75D C40A 11D7 AF88 9981 ED5B C86B A06A 517D 0F0E > > I don't get it; would anybody decipher the message in plain English, > please?
Simple:
- the signature has been made with that key
- you don't know for sure that they key actually belongs to "Linux Kernel
Archives Verification Key" because one or more of:
a) You haven't signed that key (and you shouldn't unless you meet the
owner in person)
b) The key is not signed by anybody you trust
>
> BTW, for verification of originality of the tarball, wouldn't it be
> easier using MD5?
>
> [EMAIL PROTECTED]:~$ md5sum linux-2.4.4.tar.bz2
> b2cb01dfca76829c31ddc61445e4bbb9 linux-2.4.4.tar.bz2
>
> I think so; there's no server to connect to, and there's no signature
> file to retrieve.
>
> Oki
This email is signed, and assuming that no valid trust path exists
between us, you should receive the same message when verifying it.
--
Karl E. Jørgensen
[EMAIL PROTECTED]
www.karl.jorgensen.com
==== Today's fortune:
Genetics explains why you look like your father, and if you don't, why
you should.
pgp0w53PYT0Hm.pgp
Description: PGP signature
