-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ral77 wrote: > I have setup the keyserver pgp.mit.edu and gpg --recv-key 0x731002FA . > Then set the trust with the interactive gpg --edit-key 0x731002FA . When > I run rpm --checksig -v kernel-2.4.20-30.7.legacy.i686.rpm > > kernel-2.4.20-30.7.legacy.i686.rpm: > MD5 sum OK: 8679be0ce60e842d0ceab9e3084cefe8 > gpg: WARNING: --honor-http-proxy is a deprecated option. > gpg: please use "--keyserver-options honor-http-proxy" instead > gpg: Warning: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information > gpg: Signature made Fri 20 Feb 2004 11:07:04 PM EST using DSA key ID > 731002FA > gpg: Good signature from "Fedora Legacy (http://www.fedoralegacy.org) > <secnotice@xxxxxxxxxxxxxxxx>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Fingerprint: D66D 121F 9784 5E7B 2757 8C46 108C 4512 7310 02FA > My question is about the gpg: WARNING: This key is not certified with a > trusted signature! > > Is this related to the note on the web site at > http://www.fedoralegacy.org/about/security.php No. This warning is because there are no signatures on the key from other keys you trust, either your own key or some someone else that you have trust in to sign keys. > Yesterday and the monthly LUG meeting one of the security folks > walked me through the pgp setup on my rh8 server and I'm referencing > the history file and attempting the setup on a rh72 server. I may > have a procedure error as this is new for me. One thing that will be different between rh7x and rh80 and above is that the gpg key storage was moved fron the user's gpg keyring to the rpm database. You seem to know that though based on importing the key via gpg instead of rpm. If you were checking signatures on rh80 or above, you'd use rpm --import <keyfile> instead of gpg --recv-keys <keyid> This is related to the note on the site you referenced above. If you try to import a key using rpm and that key has other signatures on it, rpm can store the key under the wrong keyid and mess up verifications. See http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90952 for details on that annoying bug (that isn't even fixed in FC1, showing the priority the gpg code seems to get in the rpm dev cycle). - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Every normal man must be tempted at times to spit upon his hands, hoist the black flag and begin slitting throats. -- H.L. Mencken -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQFAS8Xeuv+09NZUB1oRAnBXAKDRexdQOBLvPULq/RFRwjdEAUQIlACdFsqT 7Y+VV1Ihl0pdk0s9aI7O+SI= =77we -----END PGP SIGNATURE-----
