Re: certification of signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

mike wrote:
> I have a real basic question about verifying your download for Fedora 7,
> 8 and 9.  I'm new to keys, signatures, certification, etc. and I haven't
> been able to find what I need in the Fedora help resources.  Apologies  
> if this is the wrong place to post or if a similar post appears (not  
> sure that it was lost).
>
> The following is for Fedora 9.  I downloaded the iso on May 8th and  
> SHA1SUM on September 2 from the Kent mirrorservice in the UK.
>
> If I follow the instructions at http://fedoraproject.org/en/verify I get:
>
> [mike@desktop iso]$ gpg --verify SHA1SUM
> gpg: Signature made Thu 08 May 2008 03:03:44 BST using DSA key ID 4F2A6FD2
> gpg: Good signature from "Fedora Project <fedora@xxxxxxxxxx>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: CAB4 4B99 6F27 744E 8612  7CDF B442 69D0 4F2A 6FD2
> [mike@desktop iso]$
>
> My question is do I need to worry about the lack of certification?

That really depends on how cautious you want to be.

> If I do how do I check that the signature is certified?

You can verify the fedora gpg keys by following the steps at:

https://fedoraproject.org/en/keys

The key used to sign the Fedora 9 and earlier isos is now in the
"Obsolete keys" section, but the fingerprint information on that page
is still accurate.

> Also, does this have  anything to do with the migration to new
> package keys?

Nope.

Though if you download Fedora 10 Beta, you'll find that it is signed
with a new key, which is not mentioned on the /verify page.  This will
hopefully be fixed¹ before Fedora 10 is released.

¹ https://fedorahosted.org/fedora-infrastructure/ticket/888

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A cynic is a man who, when he smells flowers, looks around for a
coffin.
    -- H. L. Mencken

Attachment: pgpDAXlMsKSw1.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux