signatures from revoked key, trusted?
C. Rossberg
cr at rheloud.net
Fri Sep 2 17:52:52 CEST 2016
Hi Gabriel,
> I have just noticed I had signed his key with my old key, which is now
> revoked in my keyring. So why does GnuPG consider the signature
> correct?
'Correctness' refers to the result of the process of 'verifying a
signature' - this has nothing to do with 'trusting a key'.
Correctness and trust belong to different realms.
You need to separate both concepts.
gpg(1) labels a signature as 'good' in order to attest that the file it
just verified
- (a) has indeed been signed by a specific private key(!) and
- (b) that this file hasn't been modified in any way on it's way to you.
gpg(1) does this by 'relating' your friend's public key(!) to this key's
signature.
(More information
https://gnupg.org/gph/en/manual.html#AEN216, esp. last paragraph.
https://gnupg.org/gph/en/manual.html#AEN136)
'trust' - on the other hand - describes how thorough you have checked
the relation of ownership(!) between the key and the one who claims to own
it.
(More Information
https://gnupg.org/faq/gnupg-faq.html#define_trust)
If Person_X claims to own Some_PubKey and you have checked successfully,
that Person_X really does own it, you may start to give Person_X's key a
trust-value of 'enough'. (Now Some_PubKey appears to be Person_X's key.)
To wrap it up: 'verifying' is 'checking a checksum' - and a particular
checksum may be 'correct' even if you don't trust the key.
Hope that solves at least one of your questions.
Regards
//c
More information about the Gnupg-users
mailing list