On Mon, 2008-09-22 at 11:48 -0400, Patrick O'Callaghan wrote:
On Mon, 2008-09-22 at 09:55 -0400, Art Alexion wrote:It just means that your key isn't signed by anyone trusted by the recipients (such as yourself). You either need to exchangesignatureswith them, preferrably using some out-of-band mechanism such asdirectcontact, or have a mutually trusted third party do it. Read up onthe"web of trust" in the GPG docs.As Patrick points out, this is appropriate behavior. What it is saying is that this is a valid signature, based on the person who uploaded the key, but there is no proof that the person who uploaded the key is really you.Sorry, that's not what I'm saying (or what the GPG error means). First of all, there's no indication that the key was "uploaded" anywhere so you can't assume it's being checked against a key server such as pgp.mit.edu. Second, the validity of the signature has nothing to do with whoever uploaded it (if in fact anyone did), and everything to do with whoever signed it. Whether you trust the signature or signatures (you can have any number of them) is the only thing that matters.
Perhaps we are getting a bit too metaphysical here. How about this? The signature matches up with the one on your keyring, but, being unsigned, there is no proof that you trust that it is indeed the signature of the person that it purports to be. You certify that trust by signing it. More interesting is that the original poster said the untrusted signature was his own. My only thought is that the signature was not created on the machine that is reading it as untrusted. I generally keep my keyrings on a thumbdrive so that all machines I use are using the same versions. -- Art Alexion MIS x3075
Attachment:
signature.asc
Description: This is a digitally signed message part