LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Linux From Scratch
User Name
Password
Linux From Scratch This Forum is for the discussion of LFS.
LFS is a project that provides you with the steps necessary to build your own custom Linux system.

Notices


Reply
  Search this Thread
Old 04-25-2004, 09:35 AM   #1
koyi
Member
 
Registered: Jul 2003
Location: Osaka, Japan
Distribution: Arch, Ubuntu
Posts: 421

Rep: Reputation: 31
GPG error?


Hello, I have just downloaded the tar ball of all the packages needed for LFS-5.0.
Since I saw there is both a public key and a GPG signature, I tried to verify the package with them. (I am new to GPG) These are the commands I run and the results I got:

khoyee@kippy:/mnt/linux/downloaded/linux/LFS$ gpg --import gerard-beekmans-pubkey.gpg
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: key FA34077A: public key "Gerard Beekmans <gerard@linuxfromscratch.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
khoyee@kippy:/mnt/linux/downloaded/linux/LFS$ gpg --verify lfs-packages-5.0.tar.asc lfs-packages-5.0.tar
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Sat Nov 8 03:15:28 2003 JST using DSA key ID FA34077A
gpg: Good signature from "Gerard Beekmans <gerard@linuxfromscratch.org>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 468F 3BEC AF28 A38D 339E 19F2 E81A 98D2 FA34 077A

Looking at the warning at the end of the output, is there anything wrong with the package I downloaded? It confused me when it said "Good signature" but "not certified".... what does that mean?


Thanks in advance

Last edited by koyi; 04-25-2004 at 09:37 AM.
 
Old 05-06-2004, 09:23 AM   #2
Oliv'
Senior Member
 
Registered: Jan 2004
Location: Montpellier (France)
Distribution: Gentoo
Posts: 1,014

Rep: Reputation: 36
Hello,

Here is an answer (extract from http://webber.dewinter.com/gnupg_how...o-1.html#ss1.3)
A weak point of the Public key algorithms is the spreading of the public keys. A user could bring a public key with false user ID in circulation. If with this particular key messages are made, the intruder can decode and read the messages. If the intruder passes it on then still with a genuine public key coded to the actual recipient, this attack is not noticeable.

The PGP solution (and because of that automatically the GnuPG solution) exists in signing codes. A public key can be signed by other people. This signature acknowledges that the key used by the UID (User Identification) actually belongs to the person it claims to be. It is then up to the user of GnuPG how far the trust in the signature goes. You can consider a key as trustworthy when you trust the sender of the key and you know for sure that the key really belongs to that person. Only when you can trust the key of the signer, you can trust the signature. To be absolutely positive that the key is correct you have to compare the finger print over reliable channels before giving absolute trust.

Hope this reassures you
Oliv'
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what to do? gpg error on apt-get update darkleaf Debian 7 04-30-2006 04:24 AM
gpg error foustware Ubuntu 1 04-16-2006 06:17 PM
Apt GPG error! please help THEHERO Debian 6 10-19-2005 07:35 AM
Evolution and GPG signing error RebootKid Linux - Software 2 09-22-2004 11:49 PM
gpg error Smokey Linux - Software 0 09-20-2004 12:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Linux From Scratch

All times are GMT -5. The time now is 04:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration