Re: GPG trusted signatures, dpkg-buildpackage gpg
Joe Drew [EMAIL PROTECTED] writes: gpg: Signature made Wed Sep 15 12:08:31 1999 EDT using DSA key ID 2FA3BC2D gpg: Good signature from Wichert Akkerman [EMAIL PROTECTED] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D I get this with every signature verification. It didn't mention anything about trusted signatures, etc., in the keysigning-howto. Is it just an annoyance or can I set up something with my trustdb in gpg which will stop this? (Is there one person who signs all Debian developer keys?) It's just saying that you don't know if the key really belongs to Wichert. Given that this key only seems to have been signed by Ray Dassen and itself, in order to trust it you'd either have to tell gpg that you know that it's Wichert's key (presumably just after getting back from a key-signing) or you'd have to tell it that you trusted Ray to do that check for you (do you know him ?). In the absence of either of these, gpg is correct in telling you that you don't know if that key is really Wichert's or not. If you actually know Ray, and you have good reason to believe that the key used to sign this key was Ray's, and you trust him not to go round signing keys without justification, then you could tell gpg about this, by editing his key (with --edit-key) and using the ``trust'' command to tell it how much you trust him. Cheers, Phil.
Re: GPG trusted signatures, dpkg-buildpackage gpg
Previously Joe Drew wrote: Also, I think I read something about dpkg-buildpackage automatically choosing gpg when you haven't got a .pgp/secring.pgp - I haven't got one, but it still chooses PGP anyways. What's up? (My pgp keyrings are in the ~/.gnupg directory) Weird. Is $HOME correct for you? Here is the relevant code snippet from dpkg-buildpackage: if [ -e $HOME/.gnupg/secring.gpg -a ! -e $HOME/.pgp/secring.pgp ] ; then signcommand=gpg fi if [ -e $HOME/.pgp/secring.pgp -a ! -e $HOME/.gnupg/secring.gpg ] ; then signcommand=pgp fi Perhaps we should change that so gpg will be used by default if $HOME/.gnupg/secring.gpg exists? I also noticed that the gpg-support is in dpkg-buildpackage is currently broken. I hope to fix that later this week. Wichert. -- == This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: [EMAIL PROTECTED] WWW: http://www.wi.leidenuniv.nl/~wichert/ pgpzfEWZn04PX.pgp Description: PGP signature
Re: GPG trusted signatures, dpkg-buildpackage gpg
Previously Philip Hands wrote: Given that this key only seems to have been signed by Ray Dassen and itself Did you update your keyring recently? I have a bit more signatures: pub 1024D/2FA3BC2D 1998-07-05 Wichert Akkerman [EMAIL PROTECTED] sig2FA3BC2D 1998-07-05 Wichert Akkerman [EMAIL PROTECTED] sig63B1C106 1998-10-25 Bart Schuller [EMAIL PROTECTED] sigBCC131DE 1998-10-26 Remco van de Meent [EMAIL PROTECTED] sig9591557A 1998-10-28 Bart Warmerdam [EMAIL PROTECTED] sigB4D6DE13 1998-10-26 Paul Slootman [EMAIL PROTECTED] sig42CFFE4B 1999-04-19 Ruud de Rooij [EMAIL PROTECTED] gpg: can't handle public key algorithm 192 sig6CE5FB54 1999-01-05 [User id not found] sigB98D36A9 1999-05-31 David Frey [EMAIL PROTECTED] sig17BA45CE 1998-07-05 J.H.M. Dassen (Ray) [EMAIL PROTECTED] sig672D05C1 1999-06-02 J.H.M. Dassen (Ray) [EMAIL PROTECTED] sigBD8B050D 1999-06-26 Roland Rosenfeld [EMAIL PROTECTED] sig9DA5CAD8 1999-06-27 Philipp Frauenfelder [EMAIL PROTECTED] sig26CC7853 1999-06-28 Christian Kurz [EMAIL PROTECTED] sig1F7AFC9B 1999-06-28 [User id not found] sig87978569 1999-06-28 [User id not found] sig3DC576F7 1999-06-28 Roman Hodek [EMAIL PROTECTED] sig2E7AAACD 1999-06-29 [User id not found] sig788A3F4C 1999-09-12 Joey Hess [EMAIL PROTECTED] sub 2048G/C76F38D2 1998-07-05 sig17BA45CE 1998-07-05 J.H.M. Dassen (Ray) [EMAIL PROTECTED] sig2FA3BC2D 1998-07-05 Wichert Akkerman [EMAIL PROTECTED] The second signature from Ray is due to a bug in a previous GnuPG, I haven't figured out how to remove it yet.. I also have no clue what algorith 192 is. Anyone with ideas? Wichert. -- == This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: [EMAIL PROTECTED] WWW: http://www.wi.leidenuniv.nl/~wichert/ pgpCVzOOIa6Ji.pgp Description: PGP signature
Re: GPG trusted signatures, dpkg-buildpackage gpg
On Thu, Sep 16, 1999 at 00:02:10 +0100, Philip Hands wrote: Given that this key only seems to have been signed by Ray Dassen and itself, Even with the updates Wichert mentions, the web of trust for Debian GPG keys is still a lot sparser than the PGP one. I've pointed out one possible approach to strenghtening it (using RSA keys to sign DH/DSA ones) in http://www.debian.org/Bugs/db/25/25554.html . and you have good reason to believe that the key used to sign this key was Ray's, In this case, you can be reasonably sure: my RSA key is unrevoked and very widely signed (it made http://www.cl.cam.ac.uk/Research/Security/Trust-Register/); I used it to sign my GPG key (which has a number of other signatures on it as well) with which I signed Wichert's GPG key. Of course this depends on one's level of paranoia. Using crypto wisely and effectively is a matter of keeping one's paranoia high, but not reducing it ad absurdum (how do you know I'm not an alien with space/time travel technology capable of intercepting your private key and viewing you type your passphrase?). Ray -- PATRIOTISM A great British writer once said that if he had to choose between betraying his country and betraying a friend he hoped he would have the decency to betray his country. - The Hipcrime Vocab by Chad C. Mulligan
Re: GPG trusted signatures, dpkg-buildpackage gpg
At 14:39 +0200 1999-09-16, Wichert Akkerman wrote: I also noticed that the gpg-support is in dpkg-buildpackage is currently broken. Pardon me? In what manner is it broken? -- Joel Klecker (aka Espy)Debian GNU/Linux Developer URL:mailto:[EMAIL PROTECTED] URL:mailto:[EMAIL PROTECTED] URL:http://web.espy.org/ URL:http://www.debian.org/
Re: GPG trusted signatures, dpkg-buildpackage gpg
Wichert Akkerman [EMAIL PROTECTED] writes: [1 text/plain; us-ascii (quoted-printable)] Previously Philip Hands wrote: Given that this key only seems to have been signed by Ray Dassen and itself Did you update your keyring recently? I have a bit more signatures: sheikh:~$ dpkg -l debian-keyring Desired=Unknown/Install/Remove/Purge | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ NameVersionDescription +++-===-==- ii debian-keyring 1999.09.12 GnuPG (and obsolete PGP) keys of Debian Deve Seems recent to me. sheikh:~$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-sigs 2FA3BC2D pub 1024D/2FA3BC2D 1998-07-05 Wichert Akkerman [EMAIL PROTECTED] sig2FA3BC2D 1998-07-05 Wichert Akkerman [EMAIL PROTECTED] sub 2048G/C76F38D2 1998-07-05 sig2FA3BC2D 1998-07-05 Wichert Akkerman [EMAIL PROTECTED] sig17BA45CE 1998-07-05 J.H.M. Dassen (Ray) [EMAIL PROTECTED] pub 1024D/2FA3BC2D 1998-07-05 Wichert Akkerman [EMAIL PROTECTED] sig2FA3BC2D 1998-07-05 Wichert Akkerman [EMAIL PROTECTED] sub 2048G/C76F38D2 1998-07-05 sig2FA3BC2D 1998-07-05 Wichert Akkerman [EMAIL PROTECTED] sig17BA45CE 1998-07-05 J.H.M. Dassen (Ray) [EMAIL PROTECTED] Hm, still no new sigs, lets check the pgp.net servers: sheikh:~$ gpg --recv-key 2FA3BC2D gpg: requesting key 2FA3BC2D from wwwkeys.pgp.net ... gpg: key 2FA3BC2D: not changed gpg: key 0464E7E5: already in trusted key table gpg: Total number processed: 1 gpg: unchanged: 1 Looks like you've not uploaded it to debian or anywhere else since getting those signatures. Is this yet more proof that you are an imposter? What have you done with our Glorious Leader? ;-) Cheers, Phil.
Re: GPG trusted signatures, dpkg-buildpackage gpg
Previously Philip Hands wrote: Seems recent to me. Ah, I vaguely remember James saying he wouldn't update my key since it made gpg crash or so.. lets hope that bug is fixed by now! Looks like you've not uploaded it to debian or anywhere else since getting those signatures. The keyservers couldn't handle DSS-keys a while ago, that is probably fixed now. I already mailed James an update. Is this yet more proof that you are an imposter? Yet more? There is other proof? Damn. Okay, I might as well admit now that the cloning-experiment seems to have failed. In light of this we'll release the original Wichert.. Wichert. pgpMYEbaPRgKL.pgp Description: PGP signature
Re: GPG trusted signatures, dpkg-buildpackage gpg
Previously Joel Klecker wrote: Pardon me? In what manner is it broken? -sgpg shouldn't be necessary. I've fixed that in my sourcetree (soon to be in the CVS as well). Wichert. -- == This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: [EMAIL PROTECTED] WWW: http://www.wi.leidenuniv.nl/~wichert/ pgpALKoZmZSCA.pgp Description: PGP signature
Re: GPG trusted signatures, dpkg-buildpackage gpg
On Thu, Sep 16, 1999 at 04:36:22PM +0200, J.H.M. Dassen Ray wrote: Of course this depends on one's level of paranoia. Using crypto wisely and effectively is a matter of keeping one's paranoia high, but not reducing it ad absurdum (how do you know I'm not an alien with space/time travel technology capable of intercepting your private key and viewing you type your passphrase?). Ha! I thought so. :) Seriously, I do wonder why there doesn't appear to be any one (or few) person(s) in whom we can place our trust to validate the other people on the Debian keyring. Is there, and I haven't looked hard enough?