* Bas van Gils ([EMAIL PROTECTED]) [010911 08:47]: > > Hi everyone, > > just recently I installed gpg on my machine (that is, after reading the > article in Linux Journal). It works together with mutt brilliantly. No > problem there. > > Now, I read a lot of debian mailinglists and noticed that a lot (all ?) > of people in the Debian-organization post with a PGP-signature. Mutt > "complains" that it can't verify the signatures because it doesn't have > the public-keys in my key-ring. Makes sense ;-) > > I was wondering: is there an (easy) way of importing the keys of these > people in my key-ring? Or do I have to look-up these keys at a > key-server and import them 1 by 1 <guess that would be the `safe' thing > to do..>
Well, the safest thing to do would be to verify people's key signatures with the people themselves, and establish for yourself that you trust that that key belongs to that person as much as you believe that that person is who they say they are. Once you have done that, you should probably sign the key consider it trusted. In the meantime, you can add keys to your public keyring and consider them mostly untrusted but still use them to verify signatures. If you've been using a key for a long time, you develop some implicit trust level that that really is that person's key, even if you don't know that person. For example, if you've been watching me giving advice to people on this list for months and always signing with the same key, you get "enough" of a trust level that when you see someone dispensing advice with a signature from this key, it's probably the same person who did it a few weeks back (even though you have no proof that I'm actually Vineet Kumar). To start collecting public keys, your best bet is to tell gpg where it can find a keyserver, and when you ask it to verify a signature whose public key is not on your ring, it will automatically try to download it from the keyserver. These downloaded keys should be considered the lowest trust level; anyone can send a key to a keyserver with a bogus uid on it and then start signing messages using it. So now that I've gotten the lectures out of the way, here's how it's acually done: add a line like the following to your .gnupg/options file: keyserver wwwkeys.us.pgp.net After that, it will work like magic. No matter where you're calling gnupg from (i.e. it works from inside mutt =) ), if it doesn't have that key and you try to verify a signature, it wil try to get it from the keyserver. Cheers, -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
pgpYO1XP21EGO.pgp
Description: PGP signature
