Re: gpg --verify

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gpg --verify

From:	Ricardo Wurmus
Subject:	Re: gpg --verify
Date:	Fri, 17 Feb 2017 14:42:53 +0100
User-agent:	mu4e 0.9.18; emacs 25.1.1

Catonano <address@hidden> writes:

> There' s a warning
>
> data probably signed in "guixsd-usb-install-0.12.0.x86_64-linux.xz"
> ...
> this key is not certified with a trusted signature
> There are no indications that the signature actually belongs to its owner
>
> is this good enough ?

Yes, this sounds scary but it is expected.  With GPG you can assign a
level of trust to keys.  If there’s a signature on my key from a key
that you have marked as trusted (e.g. Ludo’s signature, and you mark
Ludo’s key as trustworthy), then the warning would change or disappear.
The warning just indicates that there is no “trust path” to my key.

If this were a forged signature you would see a scarier validation
error, not just a warning.

It’s not great UX, I agree.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

[Prev in Thread]

Current Thread

[Next in Thread]

gpg --verify, Catonano, 2017/02/17
- Re: gpg --verify, Ricardo Wurmus, 2017/02/17
  - Re: gpg --verify, Catonano, 2017/02/17
    - Re: gpg --verify, Catonano, 2017/02/17
    - Re: gpg --verify, Ricardo Wurmus <=
    - Re: gpg --verify, Catonano, 2017/02/17
    - Re: gpg --verify, ng0, 2017/02/17

Prev by Date: Re: gpg --verify
Next by Date: Re: gpg --verify
Previous by thread: Re: gpg --verify
Next by thread: Re: gpg --verify
Index(es):
- Date
- Thread