Patrick O'Callaghan wrote:
> On Wed, 2008-05-28 at 08:04 -0500, Aaron Konstam wrote:
>> Ok, I agree with your analysis. It can't be ruled as invalid if had
>> not been retrieved. But I am ignorant. I do not know how to do the
>> signing
>
> gpg --sign-key <name>
Bzzt! Don't do that. Not unless you have:
1) Verified the details of the key (fingerprint, size, and type,
at least)
2) Verified the email address used (perhaps via a simple challenge
email asking the key holder to sign some data of your choosing and
return it to you)
3) Done some sort of validation that the name on the key is really
the name the key holder is known as
There is nothing to be gained by just signing a key to make the
"invalid" warning go away. And in fact, it can be harmful. If you
use --sign-key and then even send that key to someone else or to a
keyserver, others may take your signature to mean that you've done
some or all of the verification I mentioned above. If you haven't,
you're harming your reputation, as no one wants to trust the
signature from someone that doesn't do any verification. (Think of
signing a key as you would notarizing a document. You wouldn't stamp
your seal on something without some checking.)
If you really must silence the warning (and I would argue that there
is no point in that), you can use gpg --lsign-key to create a local
signature. Such a signature will not ever be exported.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Abandon the search for Truth; settle for a good fantasy.
Attachment:
pgpUu3d7r7pZh.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
