Tim wrote: > I'm curious about why you'd need to do it with a local key. Not a local key, a local, non-exportable signature, as opposed to an exportable signature, which is what gpg creates by default. You don't "need" to use local signature, but I feel it is preferable (especially when giving advice to folks that might not spend much time reading on the nuances of GPG). The reason I consider it preferable is that it prevents new users from signing the fedora key with a typical, exportable signature which they can easily leak to a keyserver¹ and cost themselves some credibility as a key signer. It costs credibility, IMO, because I know that there is practically no way for those folks to have done the sort of verification of the fedora key worthy of adding their signature to the key. My advice is that if someone feels the need to sign the fedora key to make the warnings go away, they should use a local, non-exportable signature (gpg's --lsign option). It's also well worth considering whether they need to sign the fedora key at all. :) ¹ Like this: http://keys.gnupg.net:11371/pks/lookup?op=vindex&search=0xB44269D04F2A6FD2 -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Despite the high cost of living, it remains a popular item.
Description: PGP signature