On Wed, May 09, 2001 at 12:28:33PM +0700, Oki DZ wrote:
> Hi,
>
> Recently I tried to verify the source from www.linux.org, but I had the
> following:
> okidz@bdg:~$ gpg --verify linux-2.4.4.tar.bz2.sign linux-2.4.4.tar.bz2
> gpg: Signature made Sat Apr 28 08:48:08 2001 JAVT using DSA key ID
> 517D0F0E
> gpg: Good signature from "Linux Kernel Archives Verification Key
> <ftpadmin@kernel.org>"
> Could not find a valid trust path to the key. Let's see whether we
> can assign some missing owner trust values.
>
> No path leading to one of our keys found.
>
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> gpg: Fingerprint: C75D C40A 11D7 AF88 9981 ED5B C86B A06A 517D 0F0E
>
> I don't get it; would anybody decipher the message in plain English,
> please?
Simple:
- the signature has been made with that key
- you don't know for sure that they key actually belongs to "Linux Kernel
Archives Verification Key" because one or more of:
a) You haven't signed that key (and you shouldn't unless you meet the
owner in person)
b) The key is not signed by anybody you trust
>
> BTW, for verification of originality of the tarball, wouldn't it be
> easier using MD5?
>
> okidz@bdg:~$ md5sum linux-2.4.4.tar.bz2
> b2cb01dfca76829c31ddc61445e4bbb9 linux-2.4.4.tar.bz2
>
> I think so; there's no server to connect to, and there's no signature
> file to retrieve.
>
> Oki
This email is signed, and assuming that no valid trust path exists
between us, you should receive the same message when verifying it.
--
Karl E. Jørgensen
karl@jorgensen.com
www.karl.jorgensen.com
==== Today's fortune:
Genetics explains why you look like your father, and if you don't, why
you should.
Attachment:
pgpbXZfGMF_3F.pgp
Description: PGP signature