lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Jayakumar <kiranjuni...@gmail.com>
Subject Re: Problem with verifying signature ?
Date Fri, 07 Sep 2012 19:19:27 GMT
Thank you.

On Thu, Sep 6, 2012 at 9:51 AM, Chris Hostetter <hossman_lucene@fucit.org>wrote:

>
> : gpg: Signature made 08/06/12 19:52:21 Pacific Daylight Time using RSA key
> : ID 322
> : D7ECA
> : gpg: Good signature from "Robert Muir (Code Signing Key) <
> rmuir@apache.org>"
> : *gpg: WARNING: This key is not certified with a trusted signature!*
> : gpg:          There is no indication that the signature belongs to the
> : owner.
> : Primary key fingerprint: 6661 9BA3 C030 DD55 3625  1303 817A E1DD 322D
> 7ECA
> :
> : Is this acceptable ?
>
> I guess it depends on what you mean by acceptible?
>
> I'm not an expert on this, but as i understand it...
>
> gpg is telling you that it confirmed the signature matches a known key
> named "Robert Muir (Code Signing Key)" which is in your keyring, but that
> there is no certified level of trust association with that key.
>
> Key Trust is a personal thing, specific to you, your keyring, and how you
> got the keys you put in that ring.  if you trust that the KEYS file you
> downloaded from apache.org is legitimate, and that all the keys in it
> should be trusted, you can tell gpg that.  (using the "trust"
> interactive command when using --edit-key)
>
> Alternatively, you could tell gpg that you have a high level of trust in
> the key of some other person you have met personally -- ie: if you met Uwe
> at a confernce and he physically handed you his key on a USB drive -- and
> then if Uwe has signed Robert's key with his own (i think it has, not sure
> off the top of my head), then gpg would extend an implicit transitive
> trust to Robert's key...
>
> http://www.gnupg.org/gph/en/manual.html#AEN335
>
>
> -Hoss
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message