On Thursday 29 September 2005 18:54, vitko wrote: > I'm reinventing the wheel while learnig abou Debian key signing, so far > I've been able to verify sarge-amd64 DVD iso images via > > $ gpg --verify MD5SUMS.sign MD5SUMS > gpg: Signature made Mon 13 Jun 2005 10:48:17 PM CEST using DSA key ID > F6A32A8E gpg: Good signature from "Santiago Garcia Mantinan (manty) > <[EMAIL PROTECTED]>" gpg: aka "Santiago Garcia Mantinan > (manty) > <[EMAIL PROTECTED]>" gpg: aka "Santiago Garcia Mantinan > (manty) <[EMAIL PROTECTED]>" gpg: WARNING: This key is not certified with a > trusted signature! > gpg: There is no indication that the signature belongs to the > owner. Primary key fingerprint: 3F0A 12FC 0B55 A917 D791 82D3 72FD C205 > F6A3 2A8E > > I'd like to know how to get rid of warning above. So far I've imported the > whole Debian keyring
gpg just works this way. Why would you trust these keys until you met those people yourself ? The idea is that either YOU meet these people, or that somebody you trust did it for you, or that somebody you trust knows somebody he trusts who knows this trusty gal, who had a relation with a bloke, who met the guy at this congress wich he now trusts. Thats what the web of trust is about. Of course, if you implicitly and blindly trust those keys to belong to the people they claim to belong to, you could declare them to be trusted or sing them with your own private key. You can either use gpg for that directly (see help, look for edit-key and then trust or sign) or, easier, use kgpg for a friendlier interface. but ... do you really trust those keys ? > > Thanks for any enlightement. hopefully it helped. Ernest. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]