can someone verify the gnupg Fingerprint for pubkey?

Robert J. Hansen rjh at sixdemonbag.org
Sat Jun 9 20:47:52 CEST 2012


On 06/09/2012 11:57 AM, Peter Lebbing wrote:
> Suppose you would want to build from the vanilla source downloaded from
> gnupg.org and signed by "Werner Koch (dist sig)", how would you verify
> authenticity of that key?

I don't understand where this question is going.  I would find some
trusted path, obviously.  If I contact the maintainer and am told, "I
download packages and check they are signed with this fingerprint ID,"
well, then I'm already transitively validating-by-fiat that fingerprint
ID.

If instead I'm told, "I've personally met the GnuPG release authority
(i.e., Werner) and have signed that certificate," then the release
certificate is validated because it is certified by a trusted introducer.

If I'm told "beats me, Elvis comes to me in a séance and gives me all my
answers," then I would have to find some other means.



More information about the Gnupg-users mailing list