Re: Openssh 3.9p1
From: Greg Norris (haphazard_at_kc.rr.com)
Date: Sat, 21 Aug 2004 08:50:54 -0500 To: Troy.Wilson@chi.frb.org
That's actually a successful verification, as indicated by the "Good
signature from" line. The problem is in the web-of-trust... Damien's
key isn't signed by any trusted keys present in your keyring. What I
normally do in this situation, assuming I'm confident of the key's
legitimacy, is to add a non-exportable signature.
gpg --lsign-key 86FF9C48
On Fri, Aug 20, 2004 at 11:47:48AM -0500, Troy.Wilson@chi.frb.org wrote:
> Has anyone else warning for signature verification. I might be doing
> something wrong, but it seems like the archive was not signed using the
> public key. Here what I did:
> I download the file DJM-GPG-KEY.asc and did a gpg --import to import the
> public key.
> I then did a gpg --verify openssh-3.9p1.tar.gz.sig openssh-3.9p1.tar.gz
> I get the following output:
> # gpg --verify openssh-3.9p1.tar.gz.sig openssh-3.9p1.tar.gz
> gpg: Signature made Tue Aug 17 07:55:13 2004 CDT using DSA key ID 86FF9C48
> gpg: Good signature from "Damien Miller (Personal Key) <firstname.lastname@example.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> Primary key fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF
> Troy Wilson
> Technology Group
> Systems Administrator