zsh-users
 help / color / mirror / code / Atom feed
From: Daniel Shahaf <d.s@daniel.shahaf.name>
To: Peter Stephenson <p.stephenson@samsung.com>, zsh-users@zsh.org
Subject: Re: PGP key question
Date: Tue, 02 Oct 2018 14:15:20 +0000	[thread overview]
Message-ID: <1538489720.837058.1527925520.5B526C32@webmail.messagingengine.com> (raw)
In-Reply-To: <20181002082357eucas1p15daa8f2c0502c104b7ffe966c528571e~ZvRMqKvXa1039810398eucas1p1o@eucas1p1.samsung.com>

Peter Stephenson wrote on Tue, 02 Oct 2018 09:23 +0100:
> On Tue, 2 Oct 2018 08:51:17 +0100
> Ben Oliver <ben@bfoliver.com> wrote:
> > On 18-10-02 01:21:03, Clark Dunson wrote:
> > >gpg: WARNING: This key is not certified with a trusted signature!
> > >
> > >gpg:          There is no indication that the signature belongs to the owner.
> > >
> > >Primary key fingerprint: E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444
> > >
> > >     Subkey fingerprint: 6EB6 0B63 7CE5 ACBF 2449  A2DA DB27 E997 429A F20C
> > >
> > >Is there a concern here?  
> > 
> > This is just a warning that you have not personally signed the key, ie 
> > verified that you know this person.
> > 
> > gpg just knows that key X was used to sign the package, it doesn't know 
> > if the key truly belongs to the owner - that's on you to find out. If 
> > you are 100% sure (usually after meeting the owner) you can sign the key 
> > to avoid the warning.

In gpg(1), you can use 'lsign' to mark the key as known without
accidentally publishing the signature.  This is useful even without
verifying my identity, since it'll allow you to be sure that the 5.7
artifacts (when that version is released) will have been signed by the
same key who signed the 5.6.2 artifacts.

> To fill in the obvious: we're quite sure the releases were actually
> signed either by Daniel or me.

  reply	other threads:[~2018-10-02 14:15 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-02  1:21 Clark Dunson
2018-10-02  7:51 ` Ben Oliver
2018-10-02  8:23   ` Peter Stephenson
2018-10-02 14:15     ` Daniel Shahaf [this message]
2018-10-02 15:17       ` Clark Dunson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1538489720.837058.1527925520.5B526C32@webmail.messagingengine.com \
    --to=d.s@daniel.shahaf.name \
    --cc=p.stephenson@samsung.com \
    --cc=zsh-users@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).