[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

certification of signatures


I have a real basic question about verifying your download for Fedora 7,
8 and 9.  I'm new to keys, signatures, certification, etc. and I haven't
been able to find what I need in the Fedora help resources. Apologies if this is the wrong place to post or if a similar post appears (not sure that it was lost).

The following is for Fedora 9. I downloaded the iso on May 8th and SHA1SUM on September 2 from the Kent mirrorservice in the UK.

If I follow the instructions at http://fedoraproject.org/en/verify I get:

[mike desktop iso]$ gpg --verify SHA1SUM
gpg: Signature made Thu 08 May 2008 03:03:44 BST using DSA key ID 4F2A6FD2
gpg: Good signature from "Fedora Project <fedora redhat com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
Primary key fingerprint: CAB4 4B99 6F27 744E 8612  7CDF B442 69D0 4F2A 6FD2
[mike desktop iso]$

My question is do I need to worry about the lack of certification?  If I
do how do I check that the signature is certified? Also, does this have anything to do with the migration to new package keys?

I've searched the forum and mailing list and have looked at the various manuals, etc. for gnugpg but can't find what I'm looking for.

Thanks for any help,

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]