Re: GnuPG can't Check signature msg?

[brian moore <bem@cmc.net>]

On Mon, Dec 11, 2000 at 04:09:30PM +0100, Jonathan Gift wrote:
> Hi,
> 
> I installed the GnuPG and set up my own publick key and while most of
> the msg headers to do withnot finding pgp on pgp using email are gone,
> one remains:
> 
> gpg: Signature made Mon Dec 11...
> gpg: Can't check signature: publick key not found
> 
> Now, I assume the first is just a confirmation on when the key was used,

correct, and with all the accuracy of the sender's clock.

> but does the second refer to not finding my key, or did the sender not
> send his and so this is a simple notification of that fact? If either,
> should I fix and how?

It seems you have a misunderstanding of how PGP works.

The mail you received claims to be signed with the private key of,
say, 0xDEADBEEF.  Anyone can read it and see that key claims to have
signed it, just as a contract or a check can have the signature of
'John Doe' on it.

This leaves a couple questions, though: how do you know that's a valid
signature?  Just what -is- a valid signature?

There are two things you need to know to verify a signature: you need to
have the 'Public Key'.  This you should -not- get via email, especially
not in the same mail that it supposedly signs.  Think of how much your
bank would believe you if you said, "Oh, you dont have his signature on
file?  Here, I have a postcard John Doe signed, too, so you can see it's
the same!"  They wouldn't believe you.

The public key, as the name implies, is often available to anyone
through the public keyservers: GNU PG is smart enough to query these if
you tell it to: just add something like:
  keyserver wwwkeys.us.pgp.net
to your .gnupg/options file.

That handles half of the problem: how to get the magic signature
card.... but the other half is more complex.  Just how do you know that
signature card for 'John Doe' is really the same as the guy you met at
lunch yesterday?  Or is this some other John Doe?  Or someone who is
just pretending to be him?

For that, you need to get into some of the interesting stuff in PGP,
namely the 'web of trust'.  Each key you have on your own keyring
(either keys you've manually imported, or fetched automaticalluy from
keyservers) has a trust level, based upon who has 'signed' each key and
your own personal ranking of it.

If you mark Fred's key as trusted to sign (ie, you know Fred and you
know he doesn't just sign keys out of boredom), and -he- says that
0xDEADBEEF key is what John Doe uses, you will trust that key as well.
(But you won't necessarily trust any keys that John Doe signs unless you
tell GPG that you trust John for signing keys, too.)

Needless to say it can be very complex:  the PGP faqs cover the 'web of
trust' concept well, though, you should check them out.

For casual use, next time you talk to John Doe (in a manner where you
can verify it really is him -- ideally, that means, in person), get
his 'fingerprint' of the key.  If he says 'Oh, yes, 0xDEADBEEF is me!'
then you know the mail signed by 0xDEADBEEF was from him and not an
imposter.  For future use, you may want to mark the key as trusted (use
'gpg --edit-keus' for this.  If you're REALLY sure that he is who he
claims, then sign the key and upload the signed key to the keyservers,
so that people who trust -you- will know that 0xDEADBEEF is John without
having to ask either of you.

-- 
CueCat decoder .signature by Larry Wall:
#!/usr/bin/perl -n
printf "Serial: %s Type: %s Code: %s\n", map { tr/a-zA-Z0-9+-/ -_/; $_ = unpack
'u', chr(32 + length()*3/4) . $_; s/\0+$//; $_ ^= "C" x length; } /\.([^.]+)/g;