>On Sat, 19 Nov 2011 00:00:48 +0000 >Jeremy Henty <[email protected]> wrote: > > > Ken Moffat wrote: > > > If verifying keys means I need to create my own key, [...] > > It doesn't. For years I have used GPG/GPG2 to verify keys and I have > never told it to trust my key or anyone else's. The downside is that > GPG will complain every time that it can't trust the identity of the > keyholder even though it has verified that the file was signed with > the key. If you can tolerate that noise then you can use GPG to > verify signatures without worrying about trust. > > Regards, > > Jeremy Henty
On the heels of the previous two e-mails, perhaps a hands on explanation could also help: When using GnuPG to verify e-mails, the task is split between the MUA and gpg in that MUA handles the mails to be verified and their signatures, while gpg handles the keys and the actual checking. So, to be able to check, your mail agent must be able to do so. I will assume you have that covered. Next, you have to get the keys. You probably know that, in public cryphography, a "key" has to halves: the private one, which is jelously guarded by the key owner, and the public part, which is let to wander the world. To ease the finding of the keys, there are such things as keyservers. They are just repositories of public keys. One is at pgp.mit.edu . Next, you need to know the identifier of the key. It is a 32-bit number, expressed in hexadecimal. For example: E608E56E, which is the identifier for Bryan Kadzban's key. When trying to verify, if gpg can not find the key, it will alert you and tell you the ID of the key. Get that ID and do this: gpg --keyserver pgp.mit.edu --recv-keys <key-ID> You can use any other keyserver, they sync with each other. If all went well, you will now have the key you can use to verify stuff. $gpg --verify ~/sigs/polipo-1.0.4.1.tar.gz.asc polipo-1.0.4.1.tar.gz gpg: Signature made Mon Feb 1 00:14:37 2010 CET using RSA key ID 0F8DA163 gpg: Good signature from "Mangrin Remailer Admin <[email protected]>" gpg: aka "Christopher Davis <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 50D0 B58E 839F 5037 7D19 769F CEDB EE06 0F8D A163 $gpg --list-key 0F8DA163 pub 2048R/0F8DA163 2008-12-19 uid Mangrin Remailer Admin <[email protected]> uid Christopher Davis <[email protected]> sub 4096R/FA130C4A 2008-12-19 [expires: 2012-12-18] You can clearly see the warning that the key has not been verified. This is suboptimal, but not that bad, given the context: I have the key for some time and have checked earlier versions of Polipo. Also, the checks were diluted in time and space - by downloading the same signature several times over a few weeks/months, I reduce the chance of a successful attack against me: they may MiM me once, but three times is unlikely. I also had the benefit of being abroad for studies (I'm from Serbia and was studying in Croatia) and literaly changing both the country and the IP route to the Internet twice a year, further reducing likelyhood of a successful attack. This may also be done if you have two ISPs. Say, one broadband and one dial-up. Just download the signature first by broadband, then dial-up and verify the tarball with both. If all works, especially over a period of time, then you probably have the right signature. -- Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
