On 6 July 2016 at 17:13, Andrew Stitcher <astitc...@redhat.com> wrote: > >> NOTE: gpg gave me this: >> >> gpg --verify qpid-proton-0.13.1.tar.gz.asc qpid-proton-0.13.1.tar.gz >> gpg: Signature made Fri 01 Jul 2016 10:08:26 PM EDT using RSA key ID >> C6B459DB >> gpg: Good signature from "Justin Ross (CODE SIGNING KEY) <jross@apach >> e.org>" >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to >> the owner. >> Primary key fingerprint: F1B5 7706 904F AD58 4D55 21D5 648A 8E57 >> C6B4 59DB >> >> I don't usually do the .asc check so I don't know if this is normal. > > I think this means that you personnally don't trust that the signature > belongs to who it says it belongs to and is not forged. > > So you need to verify p2p that the key actually belongs to Justin and > mark it trusted yourself, then you won't get the message. > > Andrew >
Its configurable what it means I believe with things like whether you signed it, a chain of people you trust [to differing degree] signed it, etc, all contributing. A quick google gives https://www.gnupg.org/gph/en/manual.html#AEN346 and https://www.gnupg.org/gph/en/manual.html#AEN385 We should probably do better at cross-signing to aid in avoiding this. That fact the key is available direct from an ASF server (vs some other) gives a little more confidence than if otherwise, but cross signing more would be an improvement. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
