GPG warning when installing on Debian 9

GPG warning when installing on Debian 9

[Evan Rowley]

[-- Attachment #1: Type: text/plain, Size: 1188 bytes --]

Hi All,

When attempting to install on Debian 9, the following was shown. I just
wanted to ask here if this was the expected output.

evan@c32foss:~$ gpg --verify guix-binary-0.14.0.x86_64-linux.tar.xz.sig
gpg: assuming signed data in 'guix-binary-0.14.0.x86_64-linux.tar.xz'
gpg: Signature made Thu 07 Dec 2017 03:30:08 AM EST
gpg:                using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
gpg: Good signature from "Ludovic Courtès <ludo@gnu.org>" [unknown]
gpg:                 aka "Ludovic Courtès <ludo@chbouib.org>" [unknown]
gpg:                 aka "Ludovic Courtès (Inria) <ludovic.courtes@inria.fr>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5

The 2nd & 3rd to last lines seem somewhat concerning. This is the message I
recieve even after following the step to add the public key from the MIT
server.

Steps I am referring to are here:
https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#Binary-Installation




-- 
 - EJR

[-- Attachment #2: Type: text/html, Size: 1718 bytes --]

Re: GPG warning when installing on Debian 9

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 2675 bytes --]

On Mon, Jan 22, 2018 at 01:32:39PM -0500, Evan Rowley wrote:
> Hi All,
> 
> When attempting to install on Debian 9, the following was shown. I just
> wanted to ask here if this was the expected output.
> 
> evan@c32foss:~$ gpg --verify guix-binary-0.14.0.x86_64-linux.tar.xz.sig
> gpg: assuming signed data in 'guix-binary-0.14.0.x86_64-linux.tar.xz'
> gpg: Signature made Thu 07 Dec 2017 03:30:08 AM EST
> gpg:                using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
> gpg: Good signature from "Ludovic Courtès <ludo@gnu.org>" [unknown]
> gpg:                 aka "Ludovic Courtès <ludo@chbouib.org>" [unknown]
> gpg:                 aka "Ludovic Courtès (Inria) <ludovic.courtes@inria.fr>"
> [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
> 
> The 2nd & 3rd to last lines seem somewhat concerning. This is the message I
> recieve even after following the step to add the public key from the MIT
> server.
> 
> Steps I am referring to are here:
> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#Binary-Installation
> 

efraim@macbook41 ~$ gpg -k 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
pub   rsa4096/0x090B11993D9AEBB5 2014-08-11 [SC] [expires: 2018-04-23]
      Key fingerprint = 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
uid                   [  full  ] Ludovic Courtès <ludo@gnu.org>
uid                   [  full  ] Ludovic Courtès <ludo@chbouib.org>
uid                   [  full  ] Ludovic Courtès (Inria) <ludovic.courtes@inria.fr>
sub   rsa4096/0x2C27F831C135697E 2014-08-11 [E]

the [unknown] just means that there's no trust path between keys that
you've signed and Ludovic's key. The WARNING is just gpg's way of
displaying that information.

If it were bad it'd look more like this:
(ins)efraim@macbook41 ~$ gpg --detach-sign gpl-3.0.txt
gpg: using "CA3D8351" as default secret key for signing
(ins)efraim@macbook41 ~$ mv gpl-3.0.txt.sig farm.blend.sig
(ins)efraim@macbook41 ~$ gpg --verify farm.blend.sig
gpg: assuming signed data in 'farm.blend'
gpg: Signature made Mon 22 Jan 2018 09:30:43 PM IST
gpg:                using RSA key A28BF40C3E551372662D14F741AAE7DCCA3D8351
gpg: BAD signature from "Efraim Flashner <efraim@flashner.co.il>" [ultimate]

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: GPG warning when installing on Debian 9

[Andreas Enge]

Hello,

On Mon, Jan 22, 2018 at 01:32:39PM -0500, Evan Rowley wrote:
> gpg: Good signature from "Ludovic Courtès <ludo@gnu.org>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
> 
> The 2nd & 3rd to last lines seem somewhat concerning. This is the message I
> recieve even after following the step to add the public key from the MIT
> server.

this is expected, and it means that you did not assign any trust value to
the key used for signing. To simplify things extremely, it means that the
software was signed by the key "3CE4...", but that you do not know Ludovic
Courtès, and in particular do not know that this key really belongs to the
Ludovic Courtès person as it is claimed.

So things are fine, no need to worry.

Andreas