Re: GPG trusted signatures, dpkg-buildpackage & gpg
Joe Drew <email@example.com> writes:
> gpg: Signature made Wed Sep 15 12:08:31 1999 EDT using DSA key ID 2FA3BC2D
> gpg: Good signature from "Wichert Akkerman <firstname.lastname@example.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> gpg: Fingerprint: 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D
> I get this with every signature verification. It didn't mention
> anything about trusted signatures, etc., in the keysigning-howto. Is
> it just an annoyance or can I set up something with my trustdb in
> gpg which will stop this? (Is there one person who signs all Debian
> developer keys?)
It's just saying that you don't know if the key really belongs to Wichert.
Given that this key only seems to have been signed by Ray Dassen and
itself, in order to trust it you'd either have to tell gpg that you
know that it's Wichert's key (presumably just after getting back from a
key-signing) or you'd have to tell it that you trusted Ray to do that
check for you (do you know him ?).
In the absence of either of these, gpg is correct in telling you that
you don't know if that key is really Wichert's or not.
If you actually know Ray, and you have good reason to believe that the
key used to sign this key was Ray's, and you trust him not to go round
signing keys without justification, then you could tell gpg about
this, by editing his key (with --edit-key) and using the ``trust''
command to tell it how much you trust him.