phrase "UNTRUSTED good signature" is dangerously misleading

Werner Koch wk at
Sun Jul 14 17:05:09 CEST 2013

On Sun, 14 Jul 2013 12:14, infinity0 at said:

> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          It may not actually belong to e.g. <first UID>.
> gpg:          See keysigning(7) for guidance on how to fix this.

The think here is that often there is no need to "fix" anything.  Using
the WoT is just one way to validate a key; there are other - which is
the reason why the fingerprint is printed below.

Changing the message text is a difficult matter: We need to get all the
translations and in most cases in turns out that the new version is not
much better.  Thus we better don't change something which has done its
job okay for many years.

In any case, the non-experienced user is expected to use a different
user interface than gpg on the command line.  Thus all improvements
should go into the GUI, which has more ways to explain what is going



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list