Re: OT: More about GPG signing
On Thu, May 10, 2012 at 05:59:34PM +0200, Ralf Mardorf wrote:
> On Thu, 2012-05-10 at 16:55 +0100, Roger Leigh wrote:
> > On Thu, May 10, 2012 at 05:49:12PM +0200, Ralf Mardorf wrote:
> > > On Thu, 2012-05-10 at 16:45 +0100, Phil Dobbin wrote:
> > > With Evolution I can't. I need your keyserver and your keynumber.
> >
> > The key number is in the message (A093C263 above). The key servers
> > are all public and mirrored with each other, so just pick one or
> > more to use. If the person signing the message hasn't uploaded their
> > key to a public keyserver, then they are perhaps not understanding
> > what the public key is for ;)
>
> This resulted in "Valid signature, but cannot verify sender (Phil Dobbin
> <bukowskiscat@gmail.com>)":
That's all exactly as it should be. The signature was validated,
i.e. the message was signed with the private key of this key pair.
However, because you've not told gpg that you trust them, gpg can't
verify that the identity is real. After all, anyone can make a key
with a given name and email address--this is not in itself proof of
the origin of the email.
For that, you need to sign their key with your key, which establishes
that you have met them in real life, and that you have associated a
real life individual with that particular private key. For that,
you'll need to look into keysigning and trust relationships with
gpg. You don't even need to meet them personally--you just need to
join the web of trust by trusting someone who trusts them, or even
2 or more hops from that. I've mainly only signed the keys of
Debian developers who are in the UK or were visiting the UK, but
because of this, I can trust people all over the world who aren't
even necessarily associated with Debian.
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800
Reply to: