Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: PGP key question

X-seq: zsh-users 23693
From: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
To: Peter Stephenson <p.stephenson@xxxxxxxxxxx>, zsh-users@xxxxxxx
Subject: Re: PGP key question
Date: Tue, 02 Oct 2018 14:15:20 +0000
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= daniel.shahaf.name; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=uOvftE 1PHE2VpdZk0y8CirA8X7jC32ckeO0IAFSLyak=; b=QPmRN4pylX20WVaCsqhIg5 +ImNDEJt+4nQZ5Wp84KgxxUPIiIwUkiky7mFqm4Ur3BUWAbTIaVU0T3N0ibWdnrI OblQu6T5IYrdzgiAGWxkIEHobVxOdy2+A043wN1fh88n8WQqWItCzaYCS5cqZ/zM KRhCni9mp93xsE0fbZKKO5t6wwhyPYqaaD4xMlFqOpAKszu1PEzcKUI/oDbubaoJ pLLXSdPVDLlZo/f5PUkF4B9k17v1OnB5aFaG/iVrs8euYbD3JhnO2e2Xb0tpoi2q 6UkEPM8MdAsjXxBcDONQerBHPD8tefs6/ThAUwjpUIDMmnZU56S8o8MHH87RIkTw ==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=uOvftE 1PHE2VpdZk0y8CirA8X7jC32ckeO0IAFSLyak=; b=TK6pAmASerVs60JxKVr850 6F7VGD95oJLKU7Gt5mbFuX7lggtK3Ul1QH5Rwy4DLtS8+pbQxMzd4Ty6OQdfmXdC aR2Ry5LgUwGxIj1TXmmJ/tSxffAS7U9/TMvQydS2p/v90uQfnJjrK3T2eZsFdqWk YUZzy2dMpgCcqiPMyQlBm3SwXWVOqGTNu9Pg9+3M8bcYmY/mdL/ttRA1BiLKy96b qJY9j1NRQbo/YaRz8mGfszuomoRxYcYn6JUKdXE72o7niP886EU2Aj4g/5mH+SIm nitdUeSxOXmZWvG7GzRQLq0QcvLeXsupNfV9LEMc+bnDwifgl5U+ZlDHoLzOYzAg ==
In-reply-to: <20181002082357eucas1p15daa8f2c0502c104b7ffe966c528571e~ZvRMqKvXa1039810398eucas1p1o@eucas1p1.samsung.com>
List-help: <mailto:zsh-users-help@zsh.org>
List-id: Zsh Users List <zsh-users.zsh.org>
List-post: <mailto:zsh-users@zsh.org>
List-unsubscribe: <mailto:zsh-users-unsubscribe@zsh.org>
Mailing-list: contact zsh-users-help@xxxxxxx; run by ezmlm
References: <BAC9B7B8-2F94-4B54-ACC0-38AF2E8706C4@contoso.com> <CGME20181002075914epcas5p426151406b599d2f9553ce3294da88016@epcas5p4.samsung.com> <20181002075117.GA7637@neptune.home.b999.me> <20181002082357eucas1p15daa8f2c0502c104b7ffe966c528571e~ZvRMqKvXa1039810398eucas1p1o@eucas1p1.samsung.com>

Peter Stephenson wrote on Tue, 02 Oct 2018 09:23 +0100:
> On Tue, 2 Oct 2018 08:51:17 +0100
> Ben Oliver <ben@xxxxxxxxxxxx> wrote:
> > On 18-10-02 01:21:03, Clark Dunson wrote:
> > >gpg: WARNING: This key is not certified with a trusted signature!
> > >
> > >gpg:          There is no indication that the signature belongs to the owner.
> > >
> > >Primary key fingerprint: E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444
> > >
> > >     Subkey fingerprint: 6EB6 0B63 7CE5 ACBF 2449  A2DA DB27 E997 429A F20C
> > >
> > >Is there a concern here?  
> > 
> > This is just a warning that you have not personally signed the key, ie 
> > verified that you know this person.
> > 
> > gpg just knows that key X was used to sign the package, it doesn't know 
> > if the key truly belongs to the owner - that's on you to find out. If 
> > you are 100% sure (usually after meeting the owner) you can sign the key 
> > to avoid the warning.

In gpg(1), you can use 'lsign' to mark the key as known without
accidentally publishing the signature.  This is useful even without
verifying my identity, since it'll allow you to be sure that the 5.7
artifacts (when that version is released) will have been signed by the
same key who signed the 5.6.2 artifacts.

> To fill in the obvious: we're quite sure the releases were actually
> signed either by Daniel or me.

Follow-Ups:
- Re: PGP key question
  - From: Clark Dunson

References:
- PGP key question
  - From: Clark Dunson
- Re: PGP key question
  - From: Ben Oliver
- Re: PGP key question
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author