From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: Re: gpg --verify Date: Fri, 17 Feb 2017 14:42:53 +0100 Message-ID: <87poih7x2a.fsf@elephly.net> References: <87r32x7zpl.fsf@elephly.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39114) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ceioa-0005yr-Jz for help-guix@gnu.org; Fri, 17 Feb 2017 08:43:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ceioX-00075H-FF for help-guix@gnu.org; Fri, 17 Feb 2017 08:43:12 -0500 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21053) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ceioX-00074K-7i for help-guix@gnu.org; Fri, 17 Feb 2017 08:43:09 -0500 In-reply-to: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Catonano Cc: help-guix Catonano writes: > There' s a warning > > data probably signed in "guixsd-usb-install-0.12.0.x86_64-linux.xz" > ... > this key is not certified with a trusted signature > There are no indications that the signature actually belongs to its owner > > is this good enough ? Yes, this sounds scary but it is expected. With GPG you can assign a level of trust to keys. If there’s a signature on my key from a key that you have marked as trusted (e.g. Ludo’s signature, and you mark Ludo’s key as trustworthy), then the warning would change or disappear. The warning just indicates that there is no “trust path” to my key. If this were a forged signature you would see a scarier validation error, not just a warning. It’s not great UX, I agree. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net