This is not a problem, what this means is that you have not chosen to
trust this signature. You can do so by signing the public key on your
ring.
A safe way to trust the verification key is to call a person on the phone
that you can be absolutely certain works for kernel.org, get them to
verbally verify the key fingerprint that you have, so that you know that
you have an authentic key.
Even better would be to present yourself in person at the galactic
headquarters of the kernel archives, and seek an audience with the being
that is responsible for signing the distributed works, and audit their key
security (just make sure they're taking precautions you would), and on the
spot get a copy of their key on a floppy disk, copied from a machine that
is _not_ on the network, much less the internet. And then carry that
floppy home with you and install their key on your keyring.
Any way you get it, make sure you sign the key on your keyring to tell the
software that you trust the key is authentic. Else someone wishing you
harm might put a new key claiming to be Linux Kernal Archive Verification
Key on your keyrign just before sending you a trojanned kernel (perhaps
via hijacked ftp session).
On Mon, Nov 01, 1999 at 02:23:32PM -0600, Robert Giles wrote:
> Trying to verify kernel source per the page at
> http://www.kernel.org/signature.html, but run into this:
>
> -----
> # gpg --verify linux-2.2.13.tar.bz2.sign linux-2.2.13.tar.bz2
> gpg: Signature made Tue Oct 19 19:41:47 1999 CDT using DSA key ID 1E1A8782
> gpg: Good signature from "Linux Kernel Archives Verification Key
> <[EMAIL PROTECTED]>"
> Could not find a valid trust path to the key. Let's see whether we
> can assign some missing owner trust values.
>
> No path leading to one of our keys found.
>
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> gpg: Fingerprint: 9DB4 C3A4 EF2A 3111 9072 82F3 F2A5 75DC 1E1A 8782
> -----
>
> I've imported the key on the web page:
> -----
> # gpg --list-keys
> /root/.gnupg/pubring.gpg
> ------------------------
> pub 1024D/1E1A8782 1999-10-05 Linux Kernel Archives Verification Key
> <[EMAIL PROTECTED]>
> sub 2048g/BF890930 1999-10-05
> -----
>
> Should I be concerned with the warning message?
>
> TIA
>
> --rgiles
> ---------------------------------------------------------------------------
> Send administrative requests to [EMAIL PROTECTED]
--
_____________________ _ _ _________________________
Michael Rice |_| Collective |_| http://www.colltech.com
[EMAIL PROTECTED] |_ Technologies _| 8007598888/8019292 pager
Consultant [] [] "The Power Of Many Minds"
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
