Re: GNU-PG verifying question/confusion.
It means that gpg can not verify that the "Linux Kernel Archives
Verification Key" is what it says it is; the tarball has been signed
with that key, but there is no assurance that both the key and tarball
haven't been modified. What it boils down to is whether or not you
trust that the key you have is the real key you want.
Read the gpg docs for more info on "trust".
--
On Wed, 15 Mar 2000, Martin Bishop wrote:
> Hi,
>
> I've search the mailing list archives and couldn't find
> the answer so I'm trying here hoping someone could
> help.
>
> When I run:
> gpg --verify linux-2.3.41.tar.bz2.sign linux-2.3.41.tar.bz2
>
> I get this result:
> gpg: Signature made Sat Jan 29 10:18:19 2000 EST using DSA key ID 1E1A8782
> gpg: Good signature from "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>"
> Could not find a valid trust path to the key. Let's see whether we
> can assign some missing owner trust values.
>
> No path leading to one of our keys found.
>
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> gpg: Fingerprint: 9DB4 C3A4 EF2A 3111 9072 82F3 F2A5 75DC 1E1A 8782
>
> My question:
> Does this means that the linux-2.3.41.tar.bz2 is no good or
> that the "sign" file is no good?
>
> I got the public signature key from here:
> "http://www.kernel.org/signature.html"; and
> I've imported this key.
>
> Any help is appreciated.
>
> MB.
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
>
later,
Bruce
Reply to: