GPG error?

koyi · 04-25-2004, 09:35 AM

Hello, I have just downloaded the tar ball of all the packages needed for LFS-5.0.
Since I saw there is both a public key and a GPG signature, I tried to verify the package with them. (I am new to GPG) These are the commands I run and the results I got:

khoyee@kippy:/mnt/linux/downloaded/linux/LFS$ gpg --import gerard-beekmans-pubkey.gpg
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: key FA34077A: public key "Gerard Beekmans <gerard@linuxfromscratch.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
khoyee@kippy:/mnt/linux/downloaded/linux/LFS$ gpg --verify lfs-packages-5.0.tar.asc lfs-packages-5.0.tar
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Sat Nov 8 03:15:28 2003 JST using DSA key ID FA34077A
gpg: Good signature from "Gerard Beekmans <gerard@linuxfromscratch.org>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 468F 3BEC AF28 A38D 339E 19F2 E81A 98D2 FA34 077A

Looking at the warning at the end of the output, is there anything wrong with the package I downloaded? It confused me when it said "Good signature" but "not certified".... what does that mean?

Thanks in advance

Oliv' · 05-06-2004, 09:23 AM

Hello,

Here is an answer (extract from http://webber.dewinter.com/gnupg_how...o-1.html#ss1.3)
A weak point of the Public key algorithms is the spreading of the public keys. A user could bring a public key with false user ID in circulation. If with this particular key messages are made, the intruder can decode and read the messages. If the intruder passes it on then still with a genuine public key coded to the actual recipient, this attack is not noticeable.

The PGP solution (and because of that automatically the GnuPG solution) exists in signing codes. A public key can be signed by other people. This signature acknowledges that the key used by the UID (User Identification) actually belongs to the person it claims to be. It is then up to the user of GnuPG how far the trust in the signature goes. You can consider a key as trustworthy when you trust the sender of the key and you know for sure that the key really belongs to that person. Only when you can trust the key of the signer, you can trust the signature. To be absolutely positive that the key is correct you have to compare the finger print over reliable channels before giving absolute trust.

Hope this reassures you

Oliv'