Re: Security GPG Key question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ral77 wrote:
> I have setup the keyserver pgp.mit.edu and  gpg --recv-key 0x731002FA . 
> Then set the trust with the interactive gpg --edit-key 0x731002FA . When 
> I run rpm --checksig -v kernel-2.4.20-30.7.legacy.i686.rpm
>
> kernel-2.4.20-30.7.legacy.i686.rpm:
> MD5 sum OK: 8679be0ce60e842d0ceab9e3084cefe8
> gpg: WARNING: --honor-http-proxy is a deprecated option.
> gpg: please use "--keyserver-options honor-http-proxy" instead
> gpg: Warning: using insecure memory!
> gpg: please see http://www.gnupg.org/faq.html for more information
> gpg: Signature made Fri 20 Feb 2004 11:07:04 PM EST using DSA key ID 
> 731002FA
> gpg: Good signature from "Fedora Legacy (http://www.fedoralegacy.org) 
> <secnotice@xxxxxxxxxxxxxxxx>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the 
> owner.
> Fingerprint: D66D 121F 9784 5E7B 2757  8C46 108C 4512 7310 02FA

> My question is about the  gpg: WARNING: This key is not certified with a 
> trusted signature!
>
> Is this related to the note on the web site  at  
> http://www.fedoralegacy.org/about/security.php

No.  This warning is because there are no signatures on the key from
other keys you trust, either your own key or some someone else that
you have trust in to sign keys.

> Yesterday and the monthly LUG meeting one of the security folks
> walked me through the pgp setup on my rh8 server and I'm referencing
> the history file and attempting the setup on a rh72 server. I may
> have a procedure error as this is new for me.

One thing that will be different between rh7x and rh80 and above is
that the gpg key storage was moved fron the user's gpg keyring to the
rpm database.  You seem to know that though based on importing the key
via gpg instead of rpm.

If you were checking signatures on rh80 or above, you'd use 

    rpm --import <keyfile>
    
instead of 

    gpg --recv-keys <keyid>

This is related to the note on the site you referenced above.  If you
try to import a key using rpm and that key has other signatures on it,
rpm can store the key under the wrong keyid and mess up verifications.
See http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90952 for
details on that annoying bug (that isn't even fixed in FC1, showing
the priority the gpg code seems to get in the rpm dev cycle).

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
Every normal man must be tempted at times to spit upon his hands,
hoist the black flag and begin slitting throats.
    -- H.L. Mencken

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iD8DBQFAS8Xeuv+09NZUB1oRAnBXAKDRexdQOBLvPULq/RFRwjdEAUQIlACdFsqT
7Y+VV1Ihl0pdk0s9aI7O+SI=
=77we
-----END PGP SIGNATURE-----




[Index of Archives]     [Fedora Development]     [Fedora Announce]     [Fedora Legacy Announce]     [Fedora Config]     [PAM]     [Fedora General Discussion]     [Big List of Linux Books]     [Gimp]     [Yosemite Questions]

  Powered by Linux