You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ant.apache.org by Steve Cohen <St...@ignitesports.com> on 2002/06/21 17:56:01 UTC

gpg and distribution

I downloaded the 1.5 distribution and saw all the information about
gpg and keys.  I downloaded a version of gpg from GNU for Windows and 
installed it.  I then attempted to follow the step listed and got this 
response.  Can someone tell me if this indicates a problem?

E:\ant1.5b>e:\gnupg\gpg --import KEYS
gpg: key FEECAAED: public key imported
gpg: c:/gnupg/trustdb.gpg: trustdb created
gpg: key 51898504: public key imported
gpg: key 5F6B8B72: public key imported
gpg: key 697ECEDD: public key imported
gpg: key EDF62C35: public key imported
gpg: key EDF62C35: not changed
gpg: Total number processed: 6
gpg:               imported: 5  (RSA: 2)
gpg:              unchanged: 1

E:\ant1.5b>e:\gnupg\gpg --verify jakarta-ant-1.5Beta2-src.tar.gz.asc
gpg: Signature made 05/31/02 18:48:56  using DSA key ID EDF62C35
gpg: Good signature from "Magesh Umasankar <um...@apache.org>"
Could not find a valid trust path to the key.  Let's see whether we
can assign some missing owner trust values.

No path leading to one of our keys found.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
gpg: Fingerprint: 5F35 E131 F832 ED23 F761  578B EFA3 E779 EDF6 2C35

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: gpg and distribution

Posted by Stefan Bodewig <bo...@apache.org>.

On Fri, 21 Jun 2002, Steve Cohen <St...@ignitesports.com> wrote:

> No path leading to one of our keys found.
> 
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> gpg: Fingerprint: 5F35 E131 F832 ED23 F761 578B EFA3 E779 EDF6 2C35

This means, that GPG has verified that the key has been used to sign
the distribution and that the distribution hasn't been altered.

It also means that you don't trust anybody who has signed Magesh's key
(given that Magesh's key hasn't been signed by anybidy but Magesh
AFAIK, that would be difficult).

There is a lot to read about that:
<http://www.gnupg.org/gph/en/manual.html#AEN385> probably is a good
starting point.

Stefan

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>