Copy Current GPG Installation to Another Server

Doug Barton dougb at dougbarton.email
Wed Mar 18 02:02:21 CET 2015


On 3/17/15 4:17 PM, Peter Lebbing wrote:
> On 2015-03-17 23:18, Doug Barton wrote:
>> I think you are asking way too much, and
>> giving near-zero value in return.
>
> I'm not asking for anything.

Originally you suggested that they verify the fingerprint, and use that 
to retrieve the key. Glad to see now that you realize that was not the 
right course of action. :)

> I suggested they check the plain SHA1
> checksum or even not check at all!

I would argue that verifying the signature when available is slightly 
better, but I won't quibble on this point. For most users it is true 
that the checksum is likely to be "just as good" as a signature 
verification.

> I'm merely opposed to making people
> think the short key ID is any good for verification purposes, or that
> "when it comes to signed packages [it] is not really a necessity" to
> check the validity of the signing key.

We will have to agree to disagree on this point.

Doug




More information about the Gnupg-users mailing list