[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apt-get package verification

On Tue, Feb 13, 2001 at 09:28:49PM +0000, Jim Breton wrote:

> You don't need to assign any trust to these keys; it's enough to get the
> "Good signature..." output.  As long as the signature verifies
> successfully (as it does in your example above), you know that the
> person who created the key you've got on your keyring is the same person
> who sent the message/signed the package/whatever.
> 
> The issue of trusting the key is a separate one: it answers the
> question, "was this key created by the person whose name appears in the
> key?"  If you can unconditionally answer Yes to this question then go
> ahead and sign the key.  Otherwise you do not REALLY know that that key
> was created by that person.

Thanks for clearing this up.

-- 
groetjes, carel
Reply to: