zsh-users
 help / Atom feed
* PGP key question
@ 2018-10-02  1:21 Clark Dunson
  2018-10-02  7:51 ` Ben Oliver
  0 siblings, 1 reply; 5+ messages in thread
From: Clark Dunson @ 2018-10-02  1:21 UTC (permalink / raw)
  To: zsh-users

[-- Attachment #1: Type: text/plain, Size: 1796 bytes --]

On the site it says:


All files are signed with the following OpenPGP<https://en.wikipedia.org/wiki/Pretty_Good_Privacy> keys:

pub   2048R/4BDB27B3 2015-11-25

      Key fingerprint = F7B2 754C 7DE2 8309 1466  1F0E A71D 9A9D 4BDB 27B3

uid                  Peter Stephenson <p.w.stephenson@ntlworld.com>

sub   2048R/4C58D718 2015-11-25



pub   rsa3072 2013-06-11 [SC] [expires: 2020-07-01]

      E96646BE08C0AF0AA0F90788A5FEEE3AC7937444

uid           [ unknown] Daniel Shahaf

uid           [ unknown] Daniel Shahaf

sub   rsa3072 2013-06-11 [E] [expires: 2020-07-01]

sub   rsa4032 2017-06-28 [S] [expires: 2020-07-01]

But I get:


~/Downloads$ gpg --verify zsh-5.6.2.tar.xz.asc zsh-5.6.2.tar.xz

gpg: Signature made Fri Sep 14 05:58:34 2018 PDT

gpg:                using RSA key 6EB60B637CE5ACBF2449A2DADB27E997429AF20C

gpg: key A5FEEE3AC7937444: 26 signatures not checked due to missing keys

gpg: key A5FEEE3AC7937444: public key "Daniel Shahaf <danielsh@apache.org>" imported

gpg: marginals needed: 3  completes needed: 1  trust model: pgp

gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

gpg: next trustdb check due at 2022-10-02

gpg: Total number processed: 1

gpg:               imported: 1

gpg: Good signature from "Daniel Shahaf <danielsh@apache.org>" [unknown]

gpg:                 aka "Daniel Shahaf <d.s@daniel.shahaf.name>" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444

     Subkey fingerprint: 6EB6 0B63 7CE5 ACBF 2449  A2DA DB27 E997 429A F20C

Is there a concern here?

Thank you!

Clark

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: PGP key question
  2018-10-02  1:21 PGP key question Clark Dunson
@ 2018-10-02  7:51 ` Ben Oliver
  2018-10-02  8:23   ` Peter Stephenson
  0 siblings, 1 reply; 5+ messages in thread
From: Ben Oliver @ 2018-10-02  7:51 UTC (permalink / raw)
  To: zsh-users

[-- Attachment #1: Type: text/plain, Size: 744 bytes --]

On 18-10-02 01:21:03, Clark Dunson wrote:
>gpg: WARNING: This key is not certified with a trusted signature!
>
>gpg:          There is no indication that the signature belongs to the owner.
>
>Primary key fingerprint: E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444
>
>     Subkey fingerprint: 6EB6 0B63 7CE5 ACBF 2449  A2DA DB27 E997 429A F20C
>
>Is there a concern here?

This is just a warning that you have not personally signed the key, ie 
verified that you know this person.

gpg just knows that key X was used to sign the package, it doesn't know 
if the key truly belongs to the owner - that's on you to find out. If 
you are 100% sure (usually after meeting the owner) you can sign the key 
to avoid the warning.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: PGP key question
  2018-10-02  7:51 ` Ben Oliver
@ 2018-10-02  8:23   ` Peter Stephenson
  2018-10-02 14:15     ` Daniel Shahaf
  0 siblings, 1 reply; 5+ messages in thread
From: Peter Stephenson @ 2018-10-02  8:23 UTC (permalink / raw)
  To: zsh-users

On Tue, 2 Oct 2018 08:51:17 +0100
Ben Oliver <ben@bfoliver.com> wrote:
> On 18-10-02 01:21:03, Clark Dunson wrote:
> >gpg: WARNING: This key is not certified with a trusted signature!
> >
> >gpg:          There is no indication that the signature belongs to the owner.
> >
> >Primary key fingerprint: E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444
> >
> >     Subkey fingerprint: 6EB6 0B63 7CE5 ACBF 2449  A2DA DB27 E997 429A F20C
> >
> >Is there a concern here?  
> 
> This is just a warning that you have not personally signed the key, ie 
> verified that you know this person.
> 
> gpg just knows that key X was used to sign the package, it doesn't know 
> if the key truly belongs to the owner - that's on you to find out. If 
> you are 100% sure (usually after meeting the owner) you can sign the key 
> to avoid the warning.

To fill in the obvious: we're quite sure the releases were actually
signed either by Daniel or me.

pws


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: PGP key question
  2018-10-02  8:23   ` Peter Stephenson
@ 2018-10-02 14:15     ` Daniel Shahaf
  2018-10-02 15:17       ` Clark Dunson
  0 siblings, 1 reply; 5+ messages in thread
From: Daniel Shahaf @ 2018-10-02 14:15 UTC (permalink / raw)
  To: Peter Stephenson, zsh-users

Peter Stephenson wrote on Tue, 02 Oct 2018 09:23 +0100:
> On Tue, 2 Oct 2018 08:51:17 +0100
> Ben Oliver <ben@bfoliver.com> wrote:
> > On 18-10-02 01:21:03, Clark Dunson wrote:
> > >gpg: WARNING: This key is not certified with a trusted signature!
> > >
> > >gpg:          There is no indication that the signature belongs to the owner.
> > >
> > >Primary key fingerprint: E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444
> > >
> > >     Subkey fingerprint: 6EB6 0B63 7CE5 ACBF 2449  A2DA DB27 E997 429A F20C
> > >
> > >Is there a concern here?  
> > 
> > This is just a warning that you have not personally signed the key, ie 
> > verified that you know this person.
> > 
> > gpg just knows that key X was used to sign the package, it doesn't know 
> > if the key truly belongs to the owner - that's on you to find out. If 
> > you are 100% sure (usually after meeting the owner) you can sign the key 
> > to avoid the warning.

In gpg(1), you can use 'lsign' to mark the key as known without
accidentally publishing the signature.  This is useful even without
verifying my identity, since it'll allow you to be sure that the 5.7
artifacts (when that version is released) will have been signed by the
same key who signed the 5.6.2 artifacts.

> To fill in the obvious: we're quite sure the releases were actually
> signed either by Daniel or me.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: PGP key question
  2018-10-02 14:15     ` Daniel Shahaf
@ 2018-10-02 15:17       ` Clark Dunson
  0 siblings, 0 replies; 5+ messages in thread
From: Clark Dunson @ 2018-10-02 15:17 UTC (permalink / raw)
  To: zsh-users

Great you guys, thank you so much.  Glad to hear that source forge hasn't swooped so low as cnet.

My coworker Thibault was showing me around zsh yesterday.  I think I actually drooled.

Cheers

Clark

On 10/2/18, 7:16 AM, "Daniel Shahaf" <d.s@daniel.shahaf.name> wrote:

    Peter Stephenson wrote on Tue, 02 Oct 2018 09:23 +0100:
    > On Tue, 2 Oct 2018 08:51:17 +0100
    > Ben Oliver <ben@bfoliver.com> wrote:
    > > On 18-10-02 01:21:03, Clark Dunson wrote:
    > > >gpg: WARNING: This key is not certified with a trusted signature!
    > > >
    > > >gpg:          There is no indication that the signature belongs to the owner.
    > > >
    > > >Primary key fingerprint: E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444
    > > >
    > > >     Subkey fingerprint: 6EB6 0B63 7CE5 ACBF 2449  A2DA DB27 E997 429A F20C
    > > >
    > > >Is there a concern here?  
    > > 
    > > This is just a warning that you have not personally signed the key, ie 
    > > verified that you know this person.
    > > 
    > > gpg just knows that key X was used to sign the package, it doesn't know 
    > > if the key truly belongs to the owner - that's on you to find out. If 
    > > you are 100% sure (usually after meeting the owner) you can sign the key 
    > > to avoid the warning.
    
    In gpg(1), you can use 'lsign' to mark the key as known without
    accidentally publishing the signature.  This is useful even without
    verifying my identity, since it'll allow you to be sure that the 5.7
    artifacts (when that version is released) will have been signed by the
    same key who signed the 5.6.2 artifacts.
    
    > To fill in the obvious: we're quite sure the releases were actually
    > signed either by Daniel or me.
    


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-02  1:21 PGP key question Clark Dunson
2018-10-02  7:51 ` Ben Oliver
2018-10-02  8:23   ` Peter Stephenson
2018-10-02 14:15     ` Daniel Shahaf
2018-10-02 15:17       ` Clark Dunson

zsh-users

Archives are clonable: git clone --mirror http://inbox.vuxu.org/zsh-users

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.zsh.users


AGPL code for this site: git clone https://public-inbox.org/ public-inbox