Security GPG Key question
Todd
Freedom_Lover at pobox.com
Mon Mar 8 01:01:19 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ral77 wrote:
> I have setup the keyserver pgp.mit.edu and gpg --recv-key 0x731002FA .
> Then set the trust with the interactive gpg --edit-key 0x731002FA . When
> I run rpm --checksig -v kernel-2.4.20-30.7.legacy.i686.rpm
>
> kernel-2.4.20-30.7.legacy.i686.rpm:
> MD5 sum OK: 8679be0ce60e842d0ceab9e3084cefe8
> gpg: WARNING: --honor-http-proxy is a deprecated option.
> gpg: please use "--keyserver-options honor-http-proxy" instead
> gpg: Warning: using insecure memory!
> gpg: please see http://www.gnupg.org/faq.html for more information
> gpg: Signature made Fri 20 Feb 2004 11:07:04 PM EST using DSA key ID
> 731002FA
> gpg: Good signature from "Fedora Legacy (http://www.fedoralegacy.org)
> <secnotice at fedoralegacy.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Fingerprint: D66D 121F 9784 5E7B 2757 8C46 108C 4512 7310 02FA
> My question is about the gpg: WARNING: This key is not certified with a
> trusted signature!
>
> Is this related to the note on the web site at
> http://www.fedoralegacy.org/about/security.php
No. This warning is because there are no signatures on the key from
other keys you trust, either your own key or some someone else that
you have trust in to sign keys.
> Yesterday and the monthly LUG meeting one of the security folks
> walked me through the pgp setup on my rh8 server and I'm referencing
> the history file and attempting the setup on a rh72 server. I may
> have a procedure error as this is new for me.
One thing that will be different between rh7x and rh80 and above is
that the gpg key storage was moved fron the user's gpg keyring to the
rpm database. You seem to know that though based on importing the key
via gpg instead of rpm.
If you were checking signatures on rh80 or above, you'd use
rpm --import <keyfile>
instead of
gpg --recv-keys <keyid>
This is related to the note on the site you referenced above. If you
try to import a key using rpm and that key has other signatures on it,
rpm can store the key under the wrong keyid and mess up verifications.
See http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90952 for
details on that annoying bug (that isn't even fixed in FC1, showing
the priority the gpg code seems to get in the rpm dev cycle).
- --
Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
Every normal man must be tempted at times to spit upon his hands,
hoist the black flag and begin slitting throats.
-- H.L. Mencken
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.
iD8DBQFAS8Xeuv+09NZUB1oRAnBXAKDRexdQOBLvPULq/RFRwjdEAUQIlACdFsqT
7Y+VV1Ihl0pdk0s9aI7O+SI=
=77we
-----END PGP SIGNATURE-----
More information about the fedora-legacy-list
mailing list