river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthias Hunstock <ma...@annaberg6.de>
Subject Re: Release Candidates -- Apache River Release v2.1.1
Date Fri, 21 Dec 2007 14:53:46 GMT
Mark Brouwer schrieb:

> Also I tried to verify the distributions, I imported the KEYS file and
> received the keys of Jim, Frank and Jukka but all I get is this.

> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.

> So what is going wrong here?

In PGP, you have to set the "key (owner) trust". Just importing the key
does of course not mean that you trust the key. The usual procedure is
to contact the key owner over a secure medium (ideally f2f) to
cross-check the fingerprint of the key. Then you can set the key trust,
and will mostly sign his key, so that all other PGP users can see that
you trust this key.

This trust is calculated in a transitive way, so if you trust Jim
Hurley's Key "ultimately", you automatically trust Frank Barnaby's key
because of Jim's signature of Frank's key.

Unfornately there is nothing like a root CA in PGP - that's why it is
_web_ of trust - so this warning will appear at anyone who doesn't trust
 e.g. one of the ASF members' key. There is something called like "inner
ring", but even that is not installed with gpg normally, unlike the root
CA certificates delivered with web browsers.

hth
Matthias

Mime
View raw message