[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-list
Subject:    Re: Upgrade to Fedora-26 vs gpg download verification
From:       Tim <ignored_mailbox () yahoo ! com ! au>
Date:       2017-07-28 3:31:51
Message-ID: 1501211991.14027.9.camel () paralytic ! lan ! cameratim ! com
[Download RAW message or body]

Jonathan Ryshpan:
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg:          There is no indication that the signature belongs to the owner.
> > Primary key fingerprint: E641 850B 77DF 4353 78D1  D7E2 812A 6B4B 64DA B85D

Todd Zullinger:
> The warning here is telling you that gpg can't say with any certainty 
> that the key which made the good signature is a key you trust, because 
> the fedora key isn't signed by you or someone you have told gpg you 
> trust.
> 
> This warning is, IMO, something which is completely reasonable to 
> ignore in this particular case.  (It is an entirely valid warning and 
> in many other cases where you'd be verifying a gpg signature it would 
> be important inoformation that should affect your trust of a 
> signature.)
> 
> Your trust in the fedora gpg key is intended to come from the fact 
> that you've downloaded it via https directly from the fedora site (as 
> opposed to getting it from a keyserver or a mirror).  All trust starts 
> somewhere, after all. :)

This is where you want to find a fingerprint of the key on the Fedora
website, so you can do a check on the check of the checksum...  ;-)

You're hoping that if someone has actually managed to insert a forged
GPG key, that they can't *also* upload a forged checksum (what you're
using as a double-check) onto the website.

Personally, I think this kind of thing is a bit of a failing.  Trying to
verify everything isn't the easiest of things to do, and it's not helped
by having to search through a website for the information and
instructions.  On top of that, I feel that for something as important as
the fingerprint of the GPG key, that ought to get displayed on the
homepage, where someone is quickly going to notice if it changed.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

This email tagline has been Australianised. Bloody oath...


_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org

[prev in list] [next in list] [prev in thread] [next in thread]