Jonathan Ryshpan wrote:
Upgrading from f25 to f26, I have just downloaded Fedora-KDE-Live-x86_64-26- 1.5.iso and am attempting to verify it according to the instructions on the download website ...
...
I find the output, which follows, somewhat suspicious; but I don't know what to make of it. Please excuse my extreme ignorance.
...
$ gpg --verify-files *-CHECKSUM gpg: Signature made Fri Jul 7 08:13:35 2017 PDT using RSA key ID 64DAB85D
...
gpg: Good signature from "Fedora 26 Primary (26) <fedora-26-primary@xxxxxxxxxxxxxxxxx>"
What gpg is telling you here is that the signature is good (I know, I'm restating the plainly obvious ;). But this is the important part of the verification.
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E641 850B 77DF 4353 78D1 D7E2 812A 6B4B 64DA B85D
The warning here is telling you that gpg can't say with any certainty that the key which made the good signature is a key you trust, because the fedora key isn't signed by you or someone you have told gpg you trust.
This warning is, IMO, something which is completely reasonable to ignore in this particular case. (It is an entirely valid warning and in many other cases where you'd be verifying a gpg signature it would be important inoformation that should affect your trust of a signature.)
Your trust in the fedora gpg key is intended to come from the fact that you've downloaded it via https directly from the fedora site (as opposed to getting it from a keyserver or a mirror). All trust starts somewhere, after all. :)
Hope that helps, -- Todd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There, I've gone and soiled myself, are you happy now?! -- Stewie Griffin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
