On Wed, 2008-05-28 at 13:06 -0400, Todd Zullinger wrote: > Patrick O'Callaghan wrote: > > On Wed, 2008-05-28 at 08:04 -0500, Aaron Konstam wrote: > >> Ok, I agree with your analysis. It can't be ruled as invalid if had > >> not been retrieved. But I am ignorant. I do not know how to do the > >> signing > > > > gpg --sign-key <name> > > Bzzt! Don't do that. Not unless you have: > > 1) Verified the details of the key (fingerprint, size, and type, > at least) > > 2) Verified the email address used (perhaps via a simple challenge > email asking the key holder to sign some data of your choosing and > return it to you) > > 3) Done some sort of validation that the name on the key is really > the name the key holder is known as > > There is nothing to be gained by just signing a key to make the > "invalid" warning go away. And in fact, it can be harmful. If you > use --sign-key and then even send that key to someone else or to a > keyserver, others may take your signature to mean that you've done > some or all of the verification I mentioned above. If you haven't, > you're harming your reputation, as no one wants to trust the > signature from someone that doesn't do any verification. (Think of > signing a key as you would notarizing a document. You wouldn't stamp > your seal on something without some checking.) > > If you really must silence the warning (and I would argue that there > is no point in that), you can use gpg --lsign-key to create a local > signature. Such a signature will not ever be exported. Correct, I should have said --lsign-key. poc -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
