certification of signatures
Todd Zullinger
tmz at pobox.com
Fri Oct 17 19:11:48 UTC 2008
mike wrote:
> I have a real basic question about verifying your download for Fedora 7,
> 8 and 9. I'm new to keys, signatures, certification, etc. and I haven't
> been able to find what I need in the Fedora help resources. Apologies
> if this is the wrong place to post or if a similar post appears (not
> sure that it was lost).
>
> The following is for Fedora 9. I downloaded the iso on May 8th and
> SHA1SUM on September 2 from the Kent mirrorservice in the UK.
>
> If I follow the instructions at http://fedoraproject.org/en/verify I get:
>
> [mike at desktop iso]$ gpg --verify SHA1SUM
> gpg: Signature made Thu 08 May 2008 03:03:44 BST using DSA key ID 4F2A6FD2
> gpg: Good signature from "Fedora Project <fedora at redhat.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: CAB4 4B99 6F27 744E 8612 7CDF B442 69D0 4F2A 6FD2
> [mike at desktop iso]$
>
> My question is do I need to worry about the lack of certification?
That really depends on how cautious you want to be.
> If I do how do I check that the signature is certified?
You can verify the fedora gpg keys by following the steps at:
https://fedoraproject.org/en/keys
The key used to sign the Fedora 9 and earlier isos is now in the
"Obsolete keys" section, but the fingerprint information on that page
is still accurate.
> Also, does this have anything to do with the migration to new
> package keys?
Nope.
Though if you download Fedora 10 Beta, you'll find that it is signed
with a new key, which is not mentioned on the /verify page. This will
hopefully be fixed¹ before Fedora 10 is released.
¹ https://fedorahosted.org/fedora-infrastructure/ticket/888
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A cynic is a man who, when he smells flowers, looks around for a
coffin.
-- H. L. Mencken
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20081017/7d93c38c/attachment-0001.sig>
More information about the fedora-list
mailing list