Re: Apt-get package verification
On Tue, Feb 13, 2001 at 09:28:49PM +0000, Jim Breton wrote:
> You don't need to assign any trust to these keys; it's enough to get the
> "Good signature..." output. As long as the signature verifies
> successfully (as it does in your example above), you know that the
> person who created the key you've got on your keyring is the same person
> who sent the message/signed the package/whatever.
> The issue of trusting the key is a separate one: it answers the
> question, "was this key created by the person whose name appears in the
> key?" If you can unconditionally answer Yes to this question then go
> ahead and sign the key. Otherwise you do not REALLY know that that key
> was created by that person.
Thanks for clearing this up.