Re: Mutt and GnuPG

Fri, 14 Sep 2001 17:05:53 -0700 

On Wed, Sep 12, 2001 at 12:33:51AM +0200, Björn Lindström wrote:
> I am using Mutt 1.3.20i and GnuPG 1.0.6. 
> 
> My problem is that when i view a message, like this;
> 
> ---
> 
> [-- PGP output follows (current time: Wed Sep 12 00:26:53 2001) --]
> gpg: encrypted with 1024-bit ELG-E key, ID 6CAD430E, created 2001-09-11
>       "Björn Lindström <[EMAIL PROTECTED]>"
>       gpg: Signature made Wed Sep 12 00:26:40 2001 CEST using DSA
>       key ID EF778F9A
>       gpg: Good signature from "Björn Lindström <[EMAIL PROTECTED]>"
> [-- End of PGP output --]
> 
> [-- The following data is PGP/MIME encrypted --]
> 
> test
> 
> [-- End of PGP/MIME encrypted data --]
> 
> ---
> 
> I still get an error message saying 'PGP signature could NOT be
> verified.'
> 
> I use the settings in the file gpg.rc file that came with the
> Mutt Debian package. I guess this should be the interesting line:
> 
> set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
> 
> Any ideas?
> 

sounds like basig gpg key signing stuff... 

you have gotten the key from a key server, website, or email but have not told
gpg that you want to sign it as being authentic.  

you would want to sign the key if you got it from a _TRUSTED_ source such as a
cdrom or ssl website, OR if you confirmed they fingerprint of the key (say in
person or over the phone) with the key's owner.

to list keys:
    [donfede@ywing donfede]$ gpg --list-keys
    /home/donfede/.gnupg/pubring.gpg
    --------------------------------
    pub  1024D/DB42A60E 1999-09-23 Red Hat, Inc <[EMAIL PROTECTED]>
    sub  2048g/961630A2 1999-09-23


to identify a key, use the email address ([EMAIL PROTECTED]) or even better
the hex unique key identifier (DB42A60E).

once you have identified the key you can chekc its finger print with:
    [donfede@ywing donfede]$ gpg --fingerprint DB42A60E
    pub  1024D/DB42A60E 1999-09-23 Red Hat, Inc <[EMAIL PROTECTED]>
        Key fingerprint = CA20 8686 2BD6 9DFC 65F6  ECC4 2191 80CD DB42 A60E
    sub  2048g/961630A2 1999-09-23

once you trust the key you can sign it with, as you exchange your key with
people, you will build a "web of trust" such that if your trusted friend has
signed someone else's key then you can assume that it is good:
    gpg --sign-key DB42A60E

if you "sort of kind of" trust the key, you can sign it such that it will not
leave your keyring signed with:
    gpg --lsign-key DB42A60E
    

good luck,
donfede

Reply via email to