Re: GPG warning when installing on Debian 9

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GPG warning when installing on Debian 9

From:	Efraim Flashner
Subject:	Re: GPG warning when installing on Debian 9
Date:	Mon, 22 Jan 2018 21:31:37 +0200
User-agent:	Mutt/1.9.2 (2017-12-15)

On Mon, Jan 22, 2018 at 01:32:39PM -0500, Evan Rowley wrote:
> Hi All,
> 
> When attempting to install on Debian 9, the following was shown. I just
> wanted to ask here if this was the expected output.
> 
> address@hidden:~$ gpg --verify guix-binary-0.14.0.x86_64-linux.tar.xz.sig
> gpg: assuming signed data in 'guix-binary-0.14.0.x86_64-linux.tar.xz'
> gpg: Signature made Thu 07 Dec 2017 03:30:08 AM EST
> gpg:                using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
> gpg: Good signature from "Ludovic Courtès <address@hidden>" [unknown]
> gpg:                 aka "Ludovic Courtès <address@hidden>" [unknown]
> gpg:                 aka "Ludovic Courtès (Inria) <address@hidden>"
> [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
> 
> The 2nd & 3rd to last lines seem somewhat concerning. This is the message I
> recieve even after following the step to add the public key from the MIT
> server.
> 
> Steps I am referring to are here:
> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#Binary-Installation
> 

address@hidden ~$ gpg -k 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
pub   rsa4096/0x090B11993D9AEBB5 2014-08-11 [SC] [expires: 2018-04-23]
      Key fingerprint = 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
uid                   [  full  ] Ludovic Courtès <address@hidden>
uid                   [  full  ] Ludovic Courtès <address@hidden>
uid                   [  full  ] Ludovic Courtès (Inria) <address@hidden>
sub   rsa4096/0x2C27F831C135697E 2014-08-11 [E]

the [unknown] just means that there's no trust path between keys that
you've signed and Ludovic's key. The WARNING is just gpg's way of
displaying that information.

If it were bad it'd look more like this:
(ins)address@hidden ~$ gpg --detach-sign gpl-3.0.txt
gpg: using "CA3D8351" as default secret key for signing
(ins)address@hidden ~$ mv gpl-3.0.txt.sig farm.blend.sig
(ins)address@hidden ~$ gpg --verify farm.blend.sig
gpg: assuming signed data in 'farm.blend'
gpg: Signature made Mon 22 Jan 2018 09:30:43 PM IST
gpg:                using RSA key A28BF40C3E551372662D14F741AAE7DCCA3D8351
gpg: BAD signature from "Efraim Flashner <address@hidden>" [ultimate]

-- 
Efraim Flashner   <address@hidden>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

GPG warning when installing on Debian 9, Evan Rowley, 2018/01/22
- Re: GPG warning when installing on Debian 9, Efraim Flashner <=
- Re: GPG warning when installing on Debian 9, Andreas Enge, 2018/01/22

Prev by Date: GPG warning when installing on Debian 9
Next by Date: Re: GPG warning when installing on Debian 9
Previous by thread: GPG warning when installing on Debian 9
Next by thread: Re: GPG warning when installing on Debian 9
Index(es):
- Date
- Thread