[Pkg-anonymity-tools] Bug#756193: seems not to properly verify download
intrigeri
intrigeri at debian.org
Sun Jul 27 12:17:01 UTC 2014
Hi,
Holger Levsen wrote (27 Jul 2014 11:31:20 GMT) :
> gpg: Signature made Thu Jul 24 10:45:33 2014 CEST using RSA key ID 0E3A92E4
> gpg: Good signature from "Mike Perry (Regular use key)
> <mikeperry at torproject.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: C963 C21D 6356 4E2B 10BB 335B 2984 6B3C 6836 86CC
> Subkey fingerprint: D734 B622 C7B5 D164 D665 0CB8 717F 1F13 0E3A 92E4
This message indicates that 1. the signature is correct; 2. was made
by a key that's present in the keyring used to verify it; and 3.
wasn't certified (or otherwise marked as trusted) in that keyring.
So, if only the right keys are present in this/those keyring(s), then
it should be fine. I'm assuming that the verification is made with
GnuPG's --no-default-keyring, and --keyring pointing to a keyring that
only contains the expected TBB signing keys.
(Side note: I don't know how to mark all TBB signing keys as trusted
in that keyring, when creating/importing it, but it's
probably possible.)
Cheers!
More information about the Pkg-anonymity-tools
mailing list