Re: [Evolution] Signing messages with PGP

On Mon, 2008-09-22 at 11:48 -0400, Patrick O'Callaghan wrote:

On Mon, 2008-09-22 at 09:55 -0400, Art Alexion wrote:
It just means that your key isn't signed by anyone trusted by the
recipients (such as yourself). You either need to exchange
with them, preferrably using some out-of-band mechanism such as
contact, or have a mutually trusted third party do it. Read up on
"web of trust" in the GPG docs.

As Patrick points out, this is appropriate behavior.  What it is
is that this is a valid signature, based on the person who uploaded
key, but there is no proof that the person who uploaded the key is
really you.

Sorry, that's not what I'm saying (or what the GPG error means). First
of all, there's no indication that the key was "uploaded" anywhere so
you can't assume it's being checked against a key server such as Second, the validity of the signature has nothing to do
with whoever uploaded it (if in fact anyone did), and everything to do
with whoever signed it. Whether you trust the signature or signatures
(you can have any number of them) is the only thing that matters.

Perhaps we are getting a bit too metaphysical here.  How about this?
The signature matches up with the one on your keyring, but, being
unsigned, there is no proof that you trust that it is indeed the
signature of the person that it purports to be.  You certify that trust
by signing it.

More interesting is that the original poster said the untrusted
signature was his own.  My only thought is that the signature was not
created on the machine that is reading it as untrusted.  I generally
keep my keyrings on a thumbdrive so that all machines I use are using
the same versions.

Art Alexion

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]