Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
FAQ: gpg --verify stage 3 "signature not trusted"
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
potuz
Guru
Guru


Joined: 30 Jan 2010
Posts: 378

PostPosted: Fri Dec 20, 2013 8:59 pm    Post subject: FAQ: gpg --verify stage 3 "signature not trusted" Reply with quote

This has been asked a thousand times and this happened to myself before but for some reason all the solutions I find online now don't seem to work for me

Code:
$ gpg --keyserver subkeys.pgp.net --recv-keys 0xBB572E0E2D182910
gpg: requesting key 2D182910 from hkp server subkeys.pgp.net
gpg: key 2D182910: "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$ gpg  --verify ~/Downloads/stage3-amd64-nomultilib-20131219.tar.bz2.DIGESTS.asc
gpg: Signature made Thu 19 Dec 2013 07:29:33 PM GMT using RSA key ID 2D182910
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910

Why is that warning still popping up?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13848

PostPosted: Fri Dec 20, 2013 11:43 pm    Post subject: Reply with quote

As the message states, although the signature in the .asc was generated using the shown key, there is no reason for gpg to believe that the shown key is owned by someone trustworthy. An attacker could generate a gpg key with that e-mail address and name, sign a malicious payload with it, and post his key to the keyservers. If you then fetched his key, you would get exactly the same output as shown. The only reason you can trust that file is that you (presumably) trust the server which told you the key ID to fetch.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum