Re: OT: More about GPG signing

To: debian-user@lists.debian.org
Subject: Re: OT: More about GPG signing
From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
Date: Thu, 10 May 2012 17:59:34 +0200
Message-id: <[🔎] 1336665574.5057.2.camel@precise>
In-reply-to: <[🔎] 20120510155511.GI23173@codelibre.net>
References: <[🔎] 4FABE2B6.6020004@gmail.com> <[🔎] 1336664952.4735.10.camel@precise> <[🔎] 20120510155511.GI23173@codelibre.net>

On Thu, 2012-05-10 at 16:55 +0100, Roger Leigh wrote:
> On Thu, May 10, 2012 at 05:49:12PM +0200, Ralf Mardorf wrote:
> > On Thu, 2012-05-10 at 16:45 +0100, Phil Dobbin wrote:
> > > On 10/05/12 16:14, Tony van der Hoff wrote:
> > > 
> > > > So, this message was signed.
> > > > 
> > > > Having recently installed enigmail, to see what all the fuss is about
> > > > in the other thread. I find I'm at a loss to understand how to
> > > > interpret this.
> > > > -------------------------------------------------
> > > > OpenPGP Security Info
> > > > 
> > > > Unverified signature
> > > > 
> > > > gpg command line and output:
> > > > /usr/bin/gpg
> > > > gpg: Signature made Thu 10 May 2012 15:27:47 BST using RSA key ID A093C263
> > > > gpg: Can't check signature: public key not found
> > > > -------------------------------------------------
> > > > 
> > > > Am I expected to go to some keyserver to find the sender's public key?
> > > > How, where, why?
> > > > 
> > > > Maybe I've not set up Enigmail correctly?
> > > > 
> > > > Alternatively, should I just ignore the signature, in which case why
> > > > is the sender polluting the list with useless crap?
> > > 
> > > You have an option to import my key under your PGP menu should you wish
> > > to do so . If you have installed Enigmail then go ahead & do it.
> 
> > With Evolution I can't. I need your keyserver and your keynumber.
> 
> The key number is in the message (A093C263 above).  The key servers
> are all public and mirrored with each other, so just pick one or
> more to use.  If the person signing the message hasn't uploaded their
> key to a public keyserver, then they are perhaps not understanding
> what the public key is for ;)

This resulted in "Valid signature, but cannot verify sender (Phil Dobbin
<bukowskiscat@gmail.com>)":

gpg: armor header: Hash: SHA1
gpg: armor header: Version: GnuPG v1.4.11 (GNU/Linux)
gpg: armor header: Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
gpg: original file name=''
gpg: Signature made Thu 10 May 2012 05:45:50 PM CEST using RSA key ID
A093C263
gpg: using PGP trust model
gpg: Good signature from "Phil Dobbin <bukowskiscat@gmail.com>"
gpg:                 aka "[jpeg image of size 518977]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: AADB 6887 80BF 485B EF0D  4DBC 23E6 616E A093
C263
gpg: textmode signature, digest algorithm SHA1

Reply to:

Follow-Ups:
- Re: OT: More about GPG signing
  - From: Roger Leigh <rleigh@codelibre.net>
- Re: OT: More about GPG signing
  - From: Brad Rogers <brad@fineby.me.uk>

References:
- Re: OT: More about GPG signing
  - From: Phil Dobbin <bukowskiscat@gmail.com>
- Re: OT: More about GPG signing
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- Re: OT: More about GPG signing
  - From: Roger Leigh <rleigh@codelibre.net>

Prev by Date: Re: OT: More about GPG signing
Next by Date: Re: OT: More about GPG signing
Previous by thread: Re: OT: More about GPG signing
Next by thread: Re: OT: More about GPG signing
Index(es):
- Date
- Thread