Leigh S. Jones
Fri May 17 16:11:01 2002
The verification that you've performed simply tells
you that the signature confirms that the contents of
the .iso file have not changed since the signature
Your confidence in the .iso file then depends on
whether you are convinced that the signature file
has not been created by a malicious person.
The process of performing this check has given
you one answer: Was the file corrupted during
download? No! The contents of the file are
perfect as far as the creator of the signature file
This perhaps doesn't tell you that the .iso file
couldn't have been manipulated before the
signature was created. All of the messages
from gpg regarding the trust placed in the key
point to the possibility that the file could have
been signed by the wrong person. GnuPG is
not telling that the file was signed by the
wrong person, only that the software couldn't
tell. In the case of downloads from a web
site, this is just about as good a result as you
can get. Use the .iso file, it is uncorrupted.
----- Original Message -----
From: "Robson Augusto Siscoutto" <firstname.lastname@example.org>
Sent: Tuesday, May 14, 2002 1:23 PM
Subject: GPG WIndowss
> I made download of the images (.iso) of the Cd of the Linux
conectiva and I
> using the gpg for windows. When trying to validate the images iso,
> the following message in all of validate of the images:
> I type the command gpg --verify cl8-1.iso.asc cl8-1.iso
> Message that appears:
> gpg: Signature made 04/23/02 18:30:40 using DSA key ID 99807190
> gpg: Good signature from "Conectiva S.A.
> Could not find a valid trust path to the key. Let's see whether we
> can assign some missing owner trust values.
> No path leading to one of our keys found.
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to
> gpg: Fingerprint: 30EA E85C 3D91 C298 80B4 F0B3 E368 DDD0 9980 7190
> This correct one? can I already generate the Cd or not? If no, what
> to correct?
> Gnupg-users mailing list