gpg: WARNING
David SMITH
dave.smith at st.com
Wed Mar 18 18:04:04 CET 2009
On Wed, Mar 18, 2009 at 05:24:12PM +0530, Vinay M wrote:
> Hi,
>
> When I run command "gpg --verify <file.sig>" I get the below mentioned
> warning.
>
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
>
> 1. I want to avoid this warning. How do I do that ?
> 2. Is this avoidable if I go with a trusted signature?
> 3. What does this warning exactly mean ?
It means that you haven't signed the key that you are using to check the
signature, and GnuPG isn't able to validate the key with your web-of-trust.
Going back to basics for a moment...
You have got this signed file from somewhere.
You have also obtained the key which claims to be from the sender. You
might have got the key from a public keyserver, or possibly from
somewhere else.
How do you know that the key really is owned by the person it claims?
Anyone can upload a key to a keyserver claiming to be from anyone.
I could upload a key to a keyserver with the id "president at whitehouse.gov"
and you would then download it. You need to build yourself a
web-of-trust by doing some keysigning.
I suggest reading the GNU Privacy Handbook, on the GnuPG website, and
if you still have questions, come back and ask...
--
David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963
STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724
1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2
Almondsbury | Work Email: Dave.Smith at st.com
BRISTOL, BS32 4SQ | Home Email: David.Smith at ds-electronics.co.uk
More information about the Gnupg-users
mailing list