Copy Current GPG Installation to Another Server

Doug Barton dougb at dougbarton.email
Tue Mar 17 22:04:13 CET 2015


On 3/17/15 1:54 PM, Peter Lebbing wrote:
>>> -----Original Message-----
>>> From: Doug Barton [mailto:dougb at dougbarton.email]
>>> Sent: Tuesday, March 17, 2015 3:07 PM
>>> To: Clark Rivard
>>> Subject: Re: Copy Current GPG Installation to Another Server
>>> gpg: Signature made Fri Feb 27 00:55:58 2015 PST using RSA key ID
>>> 4F25E3B6
>>> gpg: Good signature from "Werner Koch (dist sig)" [unknown]
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:          There is no indication that the signature belongs to the
>>> owner.
>>>
>>> You can safely ignore the warning, it simply means that you have not
>>> validated the key yourself, which when it comes to signed packages is
>>> not really a necessity.
>
> Why is that?

Because in this situation you're often dealing with beginners who don't 
understand the subtleties involved in validating keys.

> I understand getting a validated key can be tricky in
> practice, but on the other hand, using *just* a short key ID to do your
> verification feels like the other end of the spectrum... I think you
> should at least verify the fingerprint on a web site or something.

Assuming you get the package, the signature, and the fingerprint from 
the same *.gnupg.org resources, what does that buy you?

If you've somehow downloaded the wrong key by short Id, the signature 
won't validate. If you have the right key, it will. That's enough to 
tell the user that the contents of the package are unaltered.

More extensive checking would be great, but would require a lot of 
documentation to teach the users how to do it ... are you volunteering 
to write it? :)

Doug





More information about the Gnupg-users mailing list