[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

GPG on Linux kernel source



Hi,

Recently I tried to verify the source from www.linux.org, but I had the
following:
okidz@bdg:~$ gpg --verify linux-2.4.4.tar.bz2.sign linux-2.4.4.tar.bz2
gpg: Signature made Sat Apr 28 08:48:08 2001 JAVT using DSA key ID
517D0F0E
gpg: Good signature from "Linux Kernel Archives Verification Key
<ftpadmin@kernel.org>"
Could not find a valid trust path to the key.  Let's see whether we
can assign some missing owner trust values.

No path leading to one of our keys found.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
gpg: Fingerprint: C75D C40A 11D7 AF88 9981  ED5B C86B A06A 517D 0F0E

I don't get it; would anybody decipher the message in plain English,
please?

BTW, for verification of originality of the tarball, wouldn't it be
easier using MD5?

okidz@bdg:~$ md5sum linux-2.4.4.tar.bz2
b2cb01dfca76829c31ddc61445e4bbb9  linux-2.4.4.tar.bz2

I think so; there's no server to connect to, and there's no signature
file to retrieve.

Oki

-- 
The JanosVM supports separate per-team heaps, per-team garbage
collection threads, inter-team thread migration, safe cross-team
reference objects, and a spiffy tutorial.
             http://www.cs.utah.edu/flux/janos/janosvm-0.5.0/ANNOUNCE



Reply to: