ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <>
Subject Re: pgp key for signing files
Date Wed, 07 Jun 2006 04:05:42 GMT
On Tue, 6 Jun 2006, Kev Jackson <> wrote:
> On 6 Jun 2006, at 01:50, Stefan Bodewig wrote:

>> Another thing is that it would be good to have signatures on your
>> key.
> Well I'm currently in Vietnam, so I guess that no I'm not near
> enough to anyone

True.  No ASF members either (the closest ones probably are in Japan).

> I've never done this whole pgp thing before, and reading the gpg
> home page makes it seem partly simple (gen keys) and partly
> extremely complicated (signing).

Technically signing is not any more difficult than generating keys.
If you are ceratin a key belongs to a given person, you sign it.  What
you do with the signed key is up to your personal taste - I upload it
to the keyservers, others will mail it to the originator.

If you import a key you get the choice to assign trust to it in GPG.
This version of "trust" means "how much do I trust the originator to
really only sign keys after checking they are proper keys".  So it is
a measure of trust in signatures by that keys on other keys.  You
don't need to sign a key to assign trust to the user.

When you verify a signature on a document GPG will not only check
whether the signature is valid, but also whether you can assume that
the key which has been used to sign the document really belongs to the
person who claims it.  If you've signed the key yourself, you've
checked the key yourself already and thus know the key and trust the
signature.  If you haven't, all signatures on that key and the trust
you've assigned to the people who signed it will be taken into account
to calculate how much you can be sure the key was real.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message