Re: ISO md5sum signing paranoia
On Thursday 29 September 2005 18:54, vitko wrote:
> I'm reinventing the wheel while learnig abou Debian key signing, so far
> I've been able to verify sarge-amd64 DVD iso images via
> $ gpg --verify MD5SUMS.sign MD5SUMS
> gpg: Signature made Mon 13 Jun 2005 10:48:17 PM CEST using DSA key ID
> F6A32A8E gpg: Good signature from "Santiago Garcia Mantinan (manty)
> <email@example.com>" gpg: aka "Santiago Garcia Mantinan (manty)
> <firstname.lastname@example.org>" gpg: aka "Santiago Garcia Mantinan
> (manty) <email@example.com>" gpg: WARNING: This key is not certified with a
> trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner. Primary key fingerprint: 3F0A 12FC 0B55 A917 D791 82D3 72FD C205
> F6A3 2A8E
> I'd like to know how to get rid of warning above. So far I've imported the
> whole Debian keyring
gpg just works this way. Why would you trust these keys until you met those
people yourself ?
The idea is that either YOU meet these people, or that somebody you trust did
it for you, or that somebody you trust knows somebody he trusts who knows
this trusty gal, who had a relation with a bloke, who met the guy at this
congress wich he now trusts.
Thats what the web of trust is about.
Of course, if you implicitly and blindly trust those keys to belong to the
people they claim to belong to, you could declare them to be trusted or sing
them with your own private key.
You can either use gpg for that directly (see help, look for edit-key and then
trust or sign) or, easier, use kgpg for a friendlier interface.
but ... do you really trust those keys ?
> Thanks for any enlightement.
hopefully it helped.