Re: certification of signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



mike wrote:
> I have a real basic question about verifying your download for Fedora 7,
> 8 and 9.  I'm new to keys, signatures, certification, etc. and I haven't
> been able to find what I need in the Fedora help resources.  Apologies  
> if this is the wrong place to post or if a similar post appears (not  
> sure that it was lost).
>
> The following is for Fedora 9.  I downloaded the iso on May 8th and  
> SHA1SUM on September 2 from the Kent mirrorservice in the UK.
>
> If I follow the instructions at http://fedoraproject.org/en/verify I get:
>
> [mike@desktop iso]$ gpg --verify SHA1SUM
> gpg: Signature made Thu 08 May 2008 03:03:44 BST using DSA key ID 4F2A6FD2
> gpg: Good signature from "Fedora Project <fedora@xxxxxxxxxx>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: CAB4 4B99 6F27 744E 8612  7CDF B442 69D0 4F2A 6FD2
> [mike@desktop iso]$
>
> My question is do I need to worry about the lack of certification?

That really depends on how cautious you want to be.

> If I do how do I check that the signature is certified?

You can verify the fedora gpg keys by following the steps at:

https://fedoraproject.org/en/keys

The key used to sign the Fedora 9 and earlier isos is now in the
"Obsolete keys" section, but the fingerprint information on that page
is still accurate.

> Also, does this have  anything to do with the migration to new
> package keys?

Nope.

Though if you download Fedora 10 Beta, you'll find that it is signed
with a new key, which is not mentioned on the /verify page.  This will
hopefully be fixed¹ before Fedora 10 is released.

¹ https://fedorahosted.org/fedora-infrastructure/ticket/888

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A cynic is a man who, when he smells flowers, looks around for a
coffin.
    -- H. L. Mencken

Attachment: pgpUT1xeF4Q0d.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux