[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gpg --verify
From: |
Ricardo Wurmus |
Subject: |
Re: gpg --verify |
Date: |
Fri, 17 Feb 2017 14:42:53 +0100 |
User-agent: |
mu4e 0.9.18; emacs 25.1.1 |
Catonano <address@hidden> writes:
> There' s a warning
>
> data probably signed in "guixsd-usb-install-0.12.0.x86_64-linux.xz"
> ...
> this key is not certified with a trusted signature
> There are no indications that the signature actually belongs to its owner
>
> is this good enough ?
Yes, this sounds scary but it is expected. With GPG you can assign a
level of trust to keys. If there’s a signature on my key from a key
that you have marked as trusted (e.g. Ludo’s signature, and you mark
Ludo’s key as trustworthy), then the warning would change or disappear.
The warning just indicates that there is no “trust path” to my key.
If this were a forged signature you would see a scarier validation
error, not just a warning.
It’s not great UX, I agree.
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net