FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-14-2008, 11:17 PM
Richard Hector
 
Default gpg trust paths

The wiki page for the recent OpenSSL vulnerability offers a perl script
for checking keys, and a gpg signature for that script, and a key id for
that signature (that of Florian Weimer)

I can import the key as shown, and show that the script was indeed
signed by that key.

However, gpg warns me that it can't tell that that key indeed belongs to
Florian Weimer.

How can I fill in that gap, to properly verify the file?

I have signed keys of several people who have been to keysigning parties
at several debconfs, so I feel I should have a trust path to anybody of
significance in the Debian community - though I could be proved wrong.

I've also added the debian keyserver to my ~/.gnupg/options, as well as
the keyring from the debian-keyring package.

Is there a step I'm missing?

Thanks,

Richard



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-15-2008, 10:00 AM
"Magnus Therning"
 
Default gpg trust paths

On Thu, May 15, 2008 at 12:17 AM, Richard Hector <richard@walnut.gen.nz> wrote:

The wiki page for the recent OpenSSL vulnerability offers a perl script

for checking keys, and a gpg signature for that script, and a key id for

that signature (that of Florian Weimer)



I can import the key as shown, and show that the script was indeed

signed by that key.



However, gpg warns me that it can't tell that that key indeed belongs to

Florian Weimer.



How can I fill in that gap, to properly verify the file?



I have signed keys of several people who have been to keysigning parties

at several debconfs, so I feel I should have a trust path to anybody of

significance in the Debian community - though I could be proved wrong.



I've also added the debian keyserver to my ~/.gnupg/options, as well as

the keyring from the debian-keyring package.



Is there a step I'm missing?
AFAIU you'd need to have all keys of the entire path locally in your keyring in order for GPG to see a trusted path.* If you don't want to download all the missing keys you could try a PGP pathfinder on the web (there are several that are easily found).


/M
 
Old 05-15-2008, 09:53 PM
Richard Hector
 
Default gpg trust paths

[red face]
After commenting on Magnus cc'ing me, I then sent this to him instead
of the list. Oops. Sorry Magnus.
[/red face]

On Thu, 2008-05-15 at 11:00 +0100, Magnus Therning wrote:
> On Thu, May 15, 2008 at 12:17 AM, Richard Hector
> <richard@walnut.gen.nz> wrote:

> I have signed keys of several people who have been to
> keysigning parties
> at several debconfs, so I feel I should have a trust path to
> anybody of
> significance in the Debian community - though I could be
> proved wrong.
>
> I've also added the debian keyserver to my ~/.gnupg/options,
> as well as
> the keyring from the debian-keyring package.
>
> Is there a step I'm missing?
>
> AFAIU you'd need to have all keys of the entire path locally in your
> keyring in order for GPG to see a trusted path. If you don't want to
> download all the missing keys you could try a PGP pathfinder on the
> web (there are several that are easily found).

Thanks for the response (though no need to cc me).

However, having downloaded various keys, I can manually find a path with
only 2 intermediate hops.

The pathfinder at http://pgp.cs.uu.nl/ doesn't have Florian Weimer's
key, so can't find the full path, but can find a path to someone who has
signed it.

The bit that puzzles me is that despite me having all 4 keys, gpg
doesn't find a path.

Unless it's the bit about 'trusted' signatures? Perhaps one of those
signatures is insufficiently trustworthy in some sense?

Richard



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 11:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org