LinuxQuestions.org - verifying keys with GPG

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - verifying keys with GPG (https://www.linuxquestions.org/questions/linux-security-4/verifying-keys-with-gpg-888809/)

verifying keys with GPG

hi,

well i've a key (the linux archive key to be exact) which i'd like to verify to be 100% sure that it's the real one , before i can trust it to verify signatures and stuff.

how can i do that?

also once i'm done with that , how can i set this key as an "ultimately trusted key" (to borrow pgp terminology) ?

cheers

The only way you can be 100% sure is if you meet face-to-face with someone from the Linux Kernel Archives, or speak to them over a secure phone line to verify the key or its fingerprint, or something of that nature. Since that's not really possible, it's "good enough" (in most scenarios) to get the public key via HTTPS over a trustworthy Internet connection and import it into your keyring. The LKA keys get revoked from time to time, so keep an eye on their web page for alerts of that kind.

I'm not sure why you want to ultimately trust the LKA key - the only reason to do this is if the owner of the key signs keys for others, and you want to acknowledge that you implicitly trust all other keys signed by the owner. As far as I'm aware, LKA doesn't sign keys for anyone else so this both unneccesary and dangerous (and besides, the only person you should ultimately trust in PGP is yourself - you should have at most complete trust in others). If you just want to verify the signatures of files you download from the LKA servers, it's sufficient to import their public key into your keyring and verify the signatures with "gpg --verify".

hmmm alright,

first of this is meant as an exercise (i.e for educational purposes) , secondly i'm trying to learn more about the web of trust.

in particular this is a response to this:

Quote:

Unless you have taken explicit steps to build a trust path to the Linux Kernel Archives Verification Key, you should expect to see a warning message akin to: .....

so how can i take "explicit steps" to build a trust path to the archives ??

btw , it's too bad that the page doesn't provide convenient links to download the public key (and the revocations certificates) instead of having to copy/paste them into a file..

i just discovered that the key has a certain number of signatures tied to it , what are these ?
the site also mentions that more signatures will be included , i'm not quite sure i understand what is supposed to mean ....hmmm

cheers

P.S i forgot to mention that yesterday when i downloaded the kernel source there was a problem with the ssl certificate which is part responsible for me being so paranoid today.