Phillip J. Eby wrote: > >> Jp Calderone wrote: >> > The required key is indicated in the message. You just need to >> retrieve it: >> > >> > gpg --import 41C6E930 >> > >> > Re-running --verify should now work. > > > It doesn't. I get "gpg: can't open `41C6E930': No such file or directory".
It's not --import, but --recv-keys. I get [EMAIL PROTECTED]:~$ gpg --recv-keys 41C6E930 gpg: requesting key 41C6E930 from hkp server wwwkeys.pgp.net gpg: key 41C6E930: "Richard Jones <[EMAIL PROTECTED]>" 31 new signatures gpg: public key CA66D0B1 is 24595 seconds newer than the signature gpg: public key CA66D0B1 is 24557 seconds newer than the signature gpg: 3 marignal-needed, 1 complete-needed, classic Trust-Modell gpg: depth: 0 valid: 3 signed: 40 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: public key CA66D0B1 is 24557 seconds newer than the signature gpg: depth: 1 valid: 40 signed: 120 trust: 36-, 0q, 0n, 0m, 4f, 0u gpg: depth: 2 valid: 60 signed: 151 trust: 53-, 0q, 0n, 0m, 7f, 0u gpg: depth: 3 valid: 29 signed: 78 trust: 26-, 0q, 0n, 0m, 3f, 0u gpg: depth: 4 valid: 6 signed: 8 trust: 5-, 0q, 0n, 1m, 0f, 0u gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2005-11-13 gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1 gpg: neue Signaturen: 31 > So, from a practical perspective, the current signature implementation > is of no use whatsoever to the vast majority of cheeseshop users. I can't speak for the vast majority of the cheeseshop users; the vast majority of regular GPG users who ever signed somebody else's key is probably able to find a chain of trust to Richard Jones. > It seems like it would make more sense to use a format that includes a > certificate signature chain (as with Ruby Gems). Having to manually > track the keys of individual authors sort of goes against the whole point. Why is that any better? Where do I get a code-signing certificate from? Regards, Martin _______________________________________________ Catalog-sig mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
