>Jp Calderone wrote: > > The required key is indicated in the message. You just need to > retrieve it: > > > > gpg --import 41C6E930 > > > > Re-running --verify should now work.
It doesn't. I get "gpg: can't open `41C6E930': No such file or directory". At 01:54 PM 10/23/2005 +0200, Martin v. Löwis wrote: >Partially, yes: it will verify that the signature was made by the public >key with that key ID. That doesn't mean you know for sure that the >person you assume to be behind the key really is the "owner" of the key. > >For that, you would actually have to validate the public key, e.g. by >looking at the signatures on the public key, and checking whether you >recognize them, and whether you believe they would only sign keys for >people they have verified in person. > >This is nothing cheeseshop could help with: the web of trust really is >between people, not between technology. So, from a practical perspective, the current signature implementation is of no use whatsoever to the vast majority of cheeseshop users. It seems like it would make more sense to use a format that includes a certificate signature chain (as with Ruby Gems). Having to manually track the keys of individual authors sort of goes against the whole point. _______________________________________________ Catalog-sig mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
