ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anderson, Rob (Global Trade)" <Rob.Ander...@nike.com>
Subject RE: pgp signature
Date Wed, 11 Feb 2004 17:47:58 GMT
The trust is assigned by you. If you want to assign trust to a person's key, you should know
that person and verify the fingerprint of the key with them personally (either face to face,
or over the phone). GPG allows you to build a "Web of Trust", so that if you trust me ultimately,
and I trust "Antoine Levy-Lambert" ultimately, then you trust "Antoine Levy-Lambert". Since
you have not built this "Web of Trust" GPG is complaining that even though the signature is
verified agianst the file, the key used the verify the signature has not been assigned trust,
and therefore, the key could be forged since you have not verified the fingerprint with "Antoine
Levy-Lambert". And if the key is forged, then the signature is meaningless, right.

I hope I have not confused you :)

-Rob Anderson

> -----Original Message-----
> From: Adam Hardy [mailto:adam.ant@cyberspaceroad.com]
> Sent: Wednesday, February 11, 2004 8:57 AM
> To: user@ant.apache.org
> Subject: pgp signature
> 
> 
> This is basically a newbie question about verify the downloads from 
> Apache. I just checked the archives for 'ultimately trusted' 
> and 'verify 
> signature' but didn't find anything.
> 
> I just did this for the first time (I'm the proud new owner of a 
> webserver so I've stepped my security awareness up a bit).
> 
> I got the following output:
> 
> [adam@gondor junk]$ gpg --verify apache-ant-1.6.0-bin.tar.bz2.asc
> gpg: WARNING: using insecure memory!
> gpg: please see http://www.gnupg.org/faq.html for more information
> gpg: Signature made Thu 18 Dec 2003 09:26:52 PM CET using DSA key ID 
> 265B4C63
> gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer) 
> <antoine@apache.org>"
> gpg:                 aka "Antoine Levy-Lambert (Apache Ant Committer) 
> <antoine@antbuild.com>"
> gpg: checking the trustdb
> gpg: no ultimately trusted keys found
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature 
> belongs to the 
> owner.
> Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B  84B0 8614 
> D6AB 265B 4C63
> 
> 
> Does this mean that it failed? I got it from the German 
> mirror.  Or is 
> the trustdb something I should update on my system? Obviously I 
> recognise Antoine's name :)
> 
> I am also not sure about this mechanism - does gpg know to check the 
> downloaded file because it has the same name as the *.asc file?
> 
> Adam
> -- 
> ant 1.6.0 + java 1.4.2 on Linux 2.4.20 Debian
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
> For additional commands, e-mail: user-help@ant.apache.org
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message