On Thu, Dec 11, 2014 at 2:32 PM, Email from Eric <vtel57@inbox.com> wrote: > Remember a couple weeks ago I sent you an email alerting you to the fact that I was having issues verifying (Enigmail/Thunderbird) your signature on Debian Security Advisories? Here's the error notice I'm receiving: > > Part of the message signed > Unverified signature > Public key 10BE8983F3D59D64 needed to verify signature > > I believe that the issue is that you're signing the emails, but you're not including your public key when you send. Without the public key, no one can verify your signature. Try sending next time and adding your public key to the signed email.
4096R/DAF6CE93 2014-9-2 Sebastien Delafond <seb { At } debian.org> Sebastien Delafond <sdelafond { At } gmx.net> Sebastien Delafond <sdelafond { At } gmail.com> Sebastien Delafond <sebastien.delafond { At } enst-bretagne.fr>
To store the key locally for future verifications:
$ gpg --recv-keys DAF6CE93
This is not enough to safely trust that the key is actually used by Sebastien Delafond and not someone else. To validate that the key is from him you'll to rely on other ways like web of trust and key signing party. Anyone can make a GPG key with whichever name attached to it.
I guess there might/should be something on the official website with the key ID of official members.
I do agree having the public key attached would simplify the key distribution but also forces to transfer a lot more bytes than necessary.