On 25/11, Stephen & Linda Smith wrote:
I know that the linux and git repositories have signed tags, but I'm not able to verify them because my key isn't signed by anyone that leads back to one of the git or linux maintainers.
Your key would only have to be signed for others to be able to verify /your/ signatures through the Web of Trust.
You don't even need the Web of Trust though, you can just verify the signature and then check that the key used to make the signature is the correct one, then you could either sign the key if you know that the key belongs to the right person and want to make the signature public, or make a local signature which is local to your keyring and won't be sent to eg keyservers. Or just mark the key as trusted overall.
-- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
Attachment:
signature.asc
Description: PGP signature