* GPG warning when installing on Debian 9
@ 2018-01-22 18:32 Evan Rowley
2018-01-22 19:31 ` Efraim Flashner
2018-01-22 19:41 ` Andreas Enge
0 siblings, 2 replies; 3+ messages in thread
From: Evan Rowley @ 2018-01-22 18:32 UTC (permalink / raw)
To: help-guix
[-- Attachment #1: Type: text/plain, Size: 1188 bytes --]
Hi All,
When attempting to install on Debian 9, the following was shown. I just
wanted to ask here if this was the expected output.
evan@c32foss:~$ gpg --verify guix-binary-0.14.0.x86_64-linux.tar.xz.sig
gpg: assuming signed data in 'guix-binary-0.14.0.x86_64-linux.tar.xz'
gpg: Signature made Thu 07 Dec 2017 03:30:08 AM EST
gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
gpg: Good signature from "Ludovic Courtès <ludo@gnu.org>" [unknown]
gpg: aka "Ludovic Courtès <ludo@chbouib.org>" [unknown]
gpg: aka "Ludovic Courtès (Inria) <ludovic.courtes@inria.fr>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
The 2nd & 3rd to last lines seem somewhat concerning. This is the message I
recieve even after following the step to add the public key from the MIT
server.
Steps I am referring to are here:
https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#Binary-Installation
--
- EJR
[-- Attachment #2: Type: text/html, Size: 1718 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: GPG warning when installing on Debian 9
2018-01-22 18:32 GPG warning when installing on Debian 9 Evan Rowley
@ 2018-01-22 19:31 ` Efraim Flashner
2018-01-22 19:41 ` Andreas Enge
1 sibling, 0 replies; 3+ messages in thread
From: Efraim Flashner @ 2018-01-22 19:31 UTC (permalink / raw)
To: Evan Rowley; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 2675 bytes --]
On Mon, Jan 22, 2018 at 01:32:39PM -0500, Evan Rowley wrote:
> Hi All,
>
> When attempting to install on Debian 9, the following was shown. I just
> wanted to ask here if this was the expected output.
>
> evan@c32foss:~$ gpg --verify guix-binary-0.14.0.x86_64-linux.tar.xz.sig
> gpg: assuming signed data in 'guix-binary-0.14.0.x86_64-linux.tar.xz'
> gpg: Signature made Thu 07 Dec 2017 03:30:08 AM EST
> gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
> gpg: Good signature from "Ludovic Courtès <ludo@gnu.org>" [unknown]
> gpg: aka "Ludovic Courtès <ludo@chbouib.org>" [unknown]
> gpg: aka "Ludovic Courtès (Inria) <ludovic.courtes@inria.fr>"
> [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
>
> The 2nd & 3rd to last lines seem somewhat concerning. This is the message I
> recieve even after following the step to add the public key from the MIT
> server.
>
> Steps I am referring to are here:
> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#Binary-Installation
>
efraim@macbook41 ~$ gpg -k 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
pub rsa4096/0x090B11993D9AEBB5 2014-08-11 [SC] [expires: 2018-04-23]
Key fingerprint = 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
uid [ full ] Ludovic Courtès <ludo@gnu.org>
uid [ full ] Ludovic Courtès <ludo@chbouib.org>
uid [ full ] Ludovic Courtès (Inria) <ludovic.courtes@inria.fr>
sub rsa4096/0x2C27F831C135697E 2014-08-11 [E]
the [unknown] just means that there's no trust path between keys that
you've signed and Ludovic's key. The WARNING is just gpg's way of
displaying that information.
If it were bad it'd look more like this:
(ins)efraim@macbook41 ~$ gpg --detach-sign gpl-3.0.txt
gpg: using "CA3D8351" as default secret key for signing
(ins)efraim@macbook41 ~$ mv gpl-3.0.txt.sig farm.blend.sig
(ins)efraim@macbook41 ~$ gpg --verify farm.blend.sig
gpg: assuming signed data in 'farm.blend'
gpg: Signature made Mon 22 Jan 2018 09:30:43 PM IST
gpg: using RSA key A28BF40C3E551372662D14F741AAE7DCCA3D8351
gpg: BAD signature from "Efraim Flashner <efraim@flashner.co.il>" [ultimate]
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: GPG warning when installing on Debian 9
2018-01-22 18:32 GPG warning when installing on Debian 9 Evan Rowley
2018-01-22 19:31 ` Efraim Flashner
@ 2018-01-22 19:41 ` Andreas Enge
1 sibling, 0 replies; 3+ messages in thread
From: Andreas Enge @ 2018-01-22 19:41 UTC (permalink / raw)
To: Evan Rowley; +Cc: help-guix
Hello,
On Mon, Jan 22, 2018 at 01:32:39PM -0500, Evan Rowley wrote:
> gpg: Good signature from "Ludovic Courtès <ludo@gnu.org>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
>
> The 2nd & 3rd to last lines seem somewhat concerning. This is the message I
> recieve even after following the step to add the public key from the MIT
> server.
this is expected, and it means that you did not assign any trust value to
the key used for signing. To simplify things extremely, it means that the
software was signed by the key "3CE4...", but that you do not know Ludovic
Courtès, and in particular do not know that this key really belongs to the
Ludovic Courtès person as it is claimed.
So things are fine, no need to worry.
Andreas
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-01-22 19:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-22 18:32 GPG warning when installing on Debian 9 Evan Rowley
2018-01-22 19:31 ` Efraim Flashner
2018-01-22 19:41 ` Andreas Enge
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).