Re: gpg trust paths
- From: "Magnus Therning" <magnus@xxxxxxxxxxxx>
- Date: Thu, 15 May 2008 11:00:17 +0100
On Thu, May 15, 2008 at 12:17 AM, Richard Hector <richard@xxxxxxxxxxxxx>
wrote:
The wiki page for the recent OpenSSL vulnerability offers a perl script
for checking keys, and a gpg signature for that script, and a key id for
that signature (that of Florian Weimer)
I can import the key as shown, and show that the script was indeed
signed by that key.
However, gpg warns me that it can't tell that that key indeed belongs to
Florian Weimer.
How can I fill in that gap, to properly verify the file?
I have signed keys of several people who have been to keysigning parties
at several debconfs, so I feel I should have a trust path to anybody of
significance in the Debian community - though I could be proved wrong.
I've also added the debian keyserver to my ~/.gnupg/options, as well as
the keyring from the debian-keyring package.
Is there a step I'm missing?
AFAIU you'd need to have all keys of the entire path locally in your keyring
in order for GPG to see a trusted path. If you don't want to download all
the missing keys you could try a PGP pathfinder on the web (there are
several that are easily found).
/M
- Follow-Ups:
- Re: gpg trust paths
- From: Richard Hector
- Re: gpg trust paths
- References:
- gpg trust paths
- From: Richard Hector
- gpg trust paths
- Prev by Date: Re: Blocking Gmail ads
- Next by Date: aptitude install less verbose
- Previous by thread: gpg trust paths
- Next by thread: Re: gpg trust paths
- Index(es):
Relevant Pages
|
