On Mon, 2008-09-22 at 08:48 -0400, Patrick O'Callaghan wrote:
On Mon, 2008-09-22 at 12:43 +0100, Andrew Taylor wrote:My recipients get a message stating: "Valid signature but cannot verify sender. When I click on the key icon I get the following: gpg: armour header: Version: GnuPG v1.4.6 (GNU/Linux) gpg: Signature made Mon 22 Sep 2008 12:39:44 BST using DSA key ID <deleted> gpg: using PGP trust model gpg: Good signature from "Andrew "Ampers" Taylor (Dated 1stSeptember2008) <ampers gmail com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs totheowner. Primary key fingerprint: FBAA 4578 313F C31B FEF3 A804 6A9E 3CAEE0310EF1 gpg: binary signature, digest algorithm SHA1 Any clues? I recently had to reload Ubuntu onto my PC.It just means that your key isn't signed by anyone trusted by the recipients (such as yourself). You either need to exchange signatures with them, preferrably using some out-of-band mechanism such as direct contact, or have a mutually trusted third party do it. Read up on the "web of trust" in the GPG docs.
As Patrick points out, this is appropriate behavior. What it is saying is that this is a valid signature, based on the person who uploaded the key, but there is no proof that the person who uploaded the key is really you. -- Art Alexion Resources for Human Development, Inc. 215-951-0300 x3075 4700 Wissahickon Ave. art rhd org Philadelphia, PA 19144 www.rhd.org
Attachment:
signature.asc
Description: This is a digitally signed message part