Re: OT: Pgp trusted keys for OpenSSH download, help with usage please
From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: Sat, 15 Nov 2003 10:17:13 -0500
"Sebastian Hans" <email@example.com> wrote in message
> Sufficient for what? What this means is that the file was correctly
> signed with the key of "Damien Miller (Personal Key) <firstname.lastname@example.org>".
> If you are sure that the key you have is the correct one, then you can
> be sure that the file you got is the correct one. This is just like an
> MD5 sum. If you are sure that the MD5 sum you have is the correct one
> and it checks out okay, then you can be sure that the file you got is
> the correct one.
> This trustdb stuff just means that you have not indicated whether you
> trust the key or any key it was signed with (and so on, some steps
> back). An analogy: If you don't believe that the MD5 sum is correct, you
> could take an MD5 sum of the MD5 sum and verify this. Repeat until you
> are satisfied. This is (very roughly) what the trustdb is about.
> Hope that helped
Mind you, I'm a lazy weasel. I'm known to grab the RedHat SRPM's and check
the gpg-based RPM signature on *those* sometimes, also checking the
including source tarball checksums against the published tarball, when I
haven't set up keys for every possible software author on a new account's
pgp or gpg setup.
But I'm a lazy weasel sometimes.