Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: PGP key question



On Tue, 2 Oct 2018 08:51:17 +0100
Ben Oliver <ben@xxxxxxxxxxxx> wrote:
> On 18-10-02 01:21:03, Clark Dunson wrote:
> >gpg: WARNING: This key is not certified with a trusted signature!
> >
> >gpg:          There is no indication that the signature belongs to the owner.
> >
> >Primary key fingerprint: E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444
> >
> >     Subkey fingerprint: 6EB6 0B63 7CE5 ACBF 2449  A2DA DB27 E997 429A F20C
> >
> >Is there a concern here?  
> 
> This is just a warning that you have not personally signed the key, ie 
> verified that you know this person.
> 
> gpg just knows that key X was used to sign the package, it doesn't know 
> if the key truly belongs to the owner - that's on you to find out. If 
> you are 100% sure (usually after meeting the owner) you can sign the key 
> to avoid the warning.

To fill in the obvious: we're quite sure the releases were actually
signed either by Daniel or me.

pws



Messages sorted by: Reverse Date, Date, Thread, Author