Mailing List Archive: GnuPG: users

new user anxiety

Index | Next | Previous | View Threaded

mtw at view

Apr 15, 2012, 9:12 PM

Post #1 of 6 (265 views)
Permalink

new user anxiety

Found nothing in the FAQ on this.

I thought I'd start using gnupg, got the latest version and went

gpg --verify gnupg-2.0.19.tar.bz2.sig gnupg-2.0.19.tar.bz2

Result:

gpg: Signature made Tue 27 Mar 2012 19:33:35 CST using RSA key ID
4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25
E3B6

Just wondering who is masquerading as a guy named Werner Koch and
necessarily using an untrusted key. Maybe my named has been got at
and I'm not getting gnupg-2.0.19.tar.bz2 from where I think, right?
What is the IP address of the genuine site, can anyone tell me?

Hum. Found the same re the character who supposedly signed GNU Hello,
one Karl Something-or-other. Same problem, someone faking his
identity...? (Assuming he exists, of course.) Is this normal? Why
the capitalized WARNING if it's normal? What's going on? A newbie'd
like to know.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

Apr 15, 2012, 10:59 PM

Post #2 of 6 (256 views)
Permalink

Re: new user anxiety [In reply to]

On 4/16/2012 12:12 AM, Michael Talbot-Wilson wrote:
> Found nothing in the FAQ on this.

First, it's an entirely expected thing. It's not a problem, it's just a
thing.

Until you have personally vouched for the fact a certificate belongs to
a certain person, GnuPG will warn you about trusting signatures made by
that certificate. You haven't vouched for Werner's certificate, so
GnuPG is warning you. That's all.

You can get rid of the error message by:

gpg --edit-key 4f25e3b6 lsign

Enter your passphrase, and GnuPG will know that you are vouching for the
fact certificate 0x4F25E3B6 really belongs to Werner.

Try verifying the signature again, and the warning message will disappear.

Hope this helps!

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mika.henrik.mainio at hotmail

Apr 16, 2012, 1:46 AM

Post #3 of 6 (250 views)
Permalink

Re: new user anxiety [In reply to]

16.04.2012 07:12, Michael Talbot-Wilson kirjoitti:
> Found nothing in the FAQ on this.
>
> I thought I'd start using gnupg, got the latest version and went
>
> gpg --verify gnupg-2.0.19.tar.bz2.sig gnupg-2.0.19.tar.bz2
>
> Result:
>
> gpg: Signature made Tue 27 Mar 2012 19:33:35 CST using RSA key ID
> 4F25E3B6
> gpg: Good signature from "Werner Koch (dist sig)"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25
> E3B6
>
> Just wondering who is masquerading as a guy named Werner Koch and
> necessarily using an untrusted key. Maybe my named has been got at
> and I'm not getting gnupg-2.0.19.tar.bz2 from where I think, right?
> What is the IP address of the genuine site, can anyone tell me?
>
> Hum. Found the same re the character who supposedly signed GNU Hello,
> one Karl Something-or-other. Same problem, someone faking his
> identity...? (Assuming he exists, of course.) Is this normal? Why
> the capitalized WARNING if it's normal? What's going on? A newbie'd
> like to know.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users [at] gnupg
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

That warning means that you (or person whose key you have signed) hasn't
signed that key.
See also
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#reason_examples

I hope that this helps.

--
Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728

Attachments:

0x82A46728.asc (5.78 KB)

signature.asc (0.88 KB)

kf at sumptuouscapital

Apr 16, 2012, 2:29 AM

Post #4 of 6 (253 views)
Permalink

Re: new user anxiety [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16.04.2012 05:12, Michael Talbot-Wilson wrote:
> Found nothing in the FAQ on this.
>
> I thought I'd start using gnupg, got the latest version and went
>
> gpg --verify gnupg-2.0.19.tar.bz2.sig gnupg-2.0.19.tar.bz2

Hi,

As it is a little bit ambiguous whether you had GnuPG installed in the
first place I just want to add a disclaimer as found on [1]; "Never
use a GnuPG version you just downloaded to check the integrity of the
source - use an existing GnuPG installation."

The question at hand has already been answered.

[1] http://gnupg.org/download/integrity_check.en.html

- --
- ----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Corruptissima re publica plurim� leges
The greater the degeneration of the republic, the more of its laws
- ----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is now
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
- ----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPi+aPAAoJEBbgz41rC5UIKf8P/3pQcJtPkxgv0F4XzG7uyu1i
uWvvgXEIqAmv4CLKfH5gkmx2n+U8yI3nRYpdPc0t220D11ob69SEt+yuIib0Fj+L
/KkvcEwJeJIIHjbXcZsbXqK9623bEeat6KunAtHfGy/l0DCki4SdbX84VdeOuknT
yJQI/0Q4O7rTpR6SU2UnLb7qequCQZ4ogIyvHKtrgL0+qxRBpa7Mc1XKHHKlkY5x
LqZRLiyThYO1Ya6Xw/HHatEIpYSGvAzhvDsd34eHTckH5piF4rZdbynaN+Ui9HJc
cRBv20pnD4X9SKU0HHjOZnGj8sWc82K8EJosDUUt5zE99f0U5pe3ngrhLWSWE8hX
kCqfVjGN5XUE818jfMJ9ze8iLDMaDlTJMzo8rMCa8l5WUBm/4/PhyjR7N9G+lhWp
jo70ENrRFur4C2lT4zKyeFVqvEoTmCmMTHilG6Xh4QKu2hd+FF5jKcdoHuY33W+i
Sgq87AIQ6+enNiBatW9BkB+WIxklf8K12L/BUOBACRlV68Zrp24y9S5XTI96dRUx
lk1KbntlSY4D7qcxFMabO2dNXNUnFN7dzOXSqpBItMWfWGLRpq/F284nlt2XnO/2
+vdGm+rwb4fC9xi9OTTmDmYXtA+FavzYPUs8VYIcoVME98YfWUQhGxYAFqjgCMof
+ns0LyIBCEYLZBhBpKCX
=CKRN
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mtw at view

Apr 16, 2012, 2:47 PM

Post #5 of 6 (244 views)
Permalink

Re: new user anxiety [In reply to]

On Mon, 16 Apr 2012, Robert J. Hansen wrote:

> On 4/16/2012 12:12 AM, Michael Talbot-Wilson wrote:
>> Found nothing in the FAQ on this.
>
> First, it's an entirely expected thing. It's not a problem, it's just a
> thing.

Thanks. And thanks to everyone who responded. I think I found the
answer overnight in Lucas's book, the section "Email from Beyond Your
Web of Trust" (p. 120). I guess I need to _have_ some such web.

Thanks again.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

david at gbenet

Apr 23, 2012, 7:33 AM

Post #6 of 6 (223 views)
Permalink

Re: new user anxiety [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/04/12 22:47, Michael Talbot-Wilson wrote:
> On Mon, 16 Apr 2012, Robert J. Hansen wrote:
>
>> On 4/16/2012 12:12 AM, Michael Talbot-Wilson wrote:
>>> Found nothing in the FAQ on this.
>>
>> First, it's an entirely expected thing. It's not a problem, it's just a
>> thing.
>
> Thanks. And thanks to everyone who responded. I think I found the
> answer overnight in Lucas's book, the section "Email from Beyond Your
> Web of Trust" (p. 120). I guess I need to _have_ some such web.
>
> Thanks again.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users [at] gnupg
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
Hello Michael,

Firstly, ALL keys are untrustworthy - even if signed by some one else - it's not till you
have met the person - verified it's them - and checked a copy of their public key - which
they show you as a print out. If you then decide to have a level of confidence (trust) in
that person being who they say they are - and the key belongs to them then you can set some
level of trust.

The web of trust is not something you can pick up. Rather the web of trust is a group of
people that have seen each other's public keys and thus signed them. So your mates and your
sister all use pgp - they each agree to sign each's key - then you have a web of trust.

- --
“See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.
Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.”
http:/counter.li.org 512854
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPlWgRAAoJEOJpqm7flRExR+MH/0rweTmNZRnADsS6ZZtq7F/m
RWMkQ6Quqp09Ve12uTzOPKjIocaNyhv3+8P/ILXaTT1f+tGLnc2OZasxC3SdU1F9
oB+XCzwaxNp1fxGQdJBtj/DNAkWgr+EtpKvWRu+5EOiCqTcuJu/7/JdV8lRG62qx
xY/vGt1UzYrsAmqnYyUl2e0JvToxPHIMRZugA3NXRX3YChd4n9TdLt/NUc6WjNUd
JrvLag1HUe1qlzAUEMMAtYatkX1YwSxSk+V/R+WoyskdbDjejwX5eZ/o8X2EMMTM
Dw9PpBUWmySSft1NzzPR6fC/ocgRhYuDPDan/9Mz+uI3kfvzvxT2K61lbmlM6oo=
=OQg2
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads