[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apt-get package verification



On Sat, Feb 10, 2001 at 07:54:49PM +0100, Carel Fellinger wrote:
> On Sat, Feb 10, 2001 at 06:11:01PM +0100, marcoghidinelli wrote:
> ...
> > for the debian-developer keys: 
> > apt-get install debian-keyring
> > 
> 
> I've done this some time ago, but now I get:
> 
> [-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --]
> gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID EBF15399
> gpg: Good signature from "Marco Ghidinelli <marcogh@atdot.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> gpg: Fingerprint: 1C34 97F7 1837 D525 7E3F  C883 B572 DF1A EBF1 5399
> [-- End of PGP output --]

it's right. the signature was verified with the copy distribuited on public
keyserver. 
(i'm not a debian developer and you cannot get my public keys in the
debian-keyring)

> But I'm quit willing to trust debian developers in general.
> I trust them
> with the packages, might as well trust their identity:)  I'm a bit uncertain
> how to achieve this though.  Is it enough if I tell gpg to trust James Troup?

who is james troup??
i think that you must trust all the keys from debian-keyring.


-- 
BOFH excuse #235:

The new frame relay network hasn't bedded down the software loop transmitter yet. 

Attachment: pgpiqrGeDYCCj.pgp
Description: PGP signature


Reply to: