Re: PGP signatures.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2008-05-28 at 13:06 -0400, Todd Zullinger wrote:
> Patrick O'Callaghan wrote:
> > On Wed, 2008-05-28 at 08:04 -0500, Aaron Konstam wrote:
> >> Ok, I agree with your analysis. It can't be ruled as invalid if had
> >> not been retrieved. But I am ignorant. I do not know how to do the
> >> signing
> > 
> > gpg --sign-key <name>
> 
> Bzzt!  Don't do that.  Not unless you have:
> 
>     1) Verified the details of the key (fingerprint, size, and type,
>     at least)
>     
>     2) Verified the email address used (perhaps via a simple challenge
>     email asking the key holder to sign some data of your choosing and
>     return it to you)
> 
>     3) Done some sort of validation that the name on the key is really
>     the name the key holder is known as
> 
> There is nothing to be gained by just signing a key to make the
> "invalid" warning go away.  And in fact, it can be harmful.  If you
> use --sign-key and then even send that key to someone else or to a
> keyserver, others may take your signature to mean that you've done
> some or all of the verification I mentioned above.  If you haven't,
> you're harming your reputation, as no one wants to trust the
> signature from someone that doesn't do any verification.  (Think of
> signing a key as you would notarizing a document.  You wouldn't stamp
> your seal on something without some checking.)
> 
> If you really must silence the warning (and I would argue that there
> is no point in that), you can use gpg --lsign-key to create a local
> signature.  Such a signature will not ever be exported.

Correct, I should have said --lsign-key.

poc

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux