Re: ISO md5sum signing paranoia

[Ernest ter Kuile <ernest@terkuile.ch>]

On Thursday 29 September 2005 18:54, vitko wrote:
> I'm reinventing the wheel while learnig abou Debian key signing, so far
> I've been able to verify sarge-amd64 DVD iso images via
>
> $ gpg --verify MD5SUMS.sign MD5SUMS
> gpg: Signature made Mon 13 Jun 2005 10:48:17 PM CEST using DSA key ID
> F6A32A8E gpg: Good signature from "Santiago Garcia Mantinan (manty)
> <sgm@manty.net>" gpg:                 aka "Santiago Garcia Mantinan (manty)
> <manty@gpul.org>" gpg:                 aka "Santiago Garcia Mantinan
> (manty) <manty@debian.org>" gpg: WARNING: This key is not certified with a
> trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner. Primary key fingerprint: 3F0A 12FC 0B55 A917 D791  82D3 72FD C205
> F6A3 2A8E
>
> I'd like to know how to get rid of warning above. So far I've imported the
> whole Debian keyring

gpg just works this way. Why would you trust these keys until you met those 
people yourself ?

The idea is that either YOU meet these people, or that somebody you trust did 
it for you, or that somebody you trust knows somebody he trusts who knows 
this trusty gal, who had a relation with a bloke, who met the guy at this 
congress wich he now trusts.

Thats what the web of trust is about.

Of course, if you implicitly and blindly trust those keys to belong to the 
people they claim to belong to, you could declare them to be trusted or sing 
them with your own private key.

You can either use gpg for that directly (see help, look for edit-key and then  
trust or sign) or, easier, use kgpg for a friendlier interface.

but ... do you really trust those keys ?

>
> Thanks for any enlightement.

hopefully it helped.

Ernest.