On 3/17/15 1:54 PM, Peter Lebbing wrote:
-----Original Message-----
From: Doug Barton [mailto:dougb@dougbarton.email]
Sent: Tuesday, March 17, 2015 3:07 PM
To: Clark Rivard
Subject: Re: Copy Current GPG Installation to Another Server
gpg: Signature made Fri Feb 27 00:55:58 2015 PST using RSA key ID
4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
You can safely ignore the warning, it simply means that you have not
validated the key yourself, which when it comes to signed packages is
not really a necessity.
Why is that?
Because in this situation you're often dealing with beginners who don't
understand the subtleties involved in validating keys.
I understand getting a validated key can be tricky in
practice, but on the other hand, using *just* a short key ID to do your
verification feels like the other end of the spectrum... I think you
should at least verify the fingerprint on a web site or something.
Assuming you get the package, the signature, and the fingerprint from
the same *.gnupg.org resources, what does that buy you?
If you've somehow downloaded the wrong key by short Id, the signature
won't validate. If you have the right key, it will. That's enough to
tell the user that the contents of the package are unaltered.
More extensive checking would be great, but would require a lot of
documentation to teach the users how to do it ... are you volunteering
to write it? :)
Doug
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users