On Fri, Nov 27, 2015 at 09:06:02AM +0100, Petter Reinholdtsen wrote:
> 
> Package: cpm
> Version: 0.32-1
> Severity: important
> 
> When I try to access the password database for a association where I am
> a member and which is encrypted using one of my keys, I get this error:
> 
>   GpgMe verify error
> 
>   Database signed with keys of unknown validity. You must trust the key
>   with fingerprint <key-fingerprint> before proceeding
> 
> The key with the given fingerprint (replaced with <key-fingerprint>
> above) is one I have not signed, but it is signed by a key I have
> signed.
> 
> It seem strange to me that cpm refuses to show me passwords I am able to
> decrypt, just because I do not trust the key used to sign the database.
> What exactly is the problem here?  Do I really need to trust everyone I
> get passwords from according to cpm?
> 
> Is there a way to get cpm to show me the passwords anyway?

Yes, the way to see the passwords is to trust the signer.

You can use local trust for this.

The reason why CPM needs you to trust the signer is one of security;
if you are sharing a password database, and a new user appears
replaces the database, this database could contain misinformation.

Regards,
 Kacper

Reply via email to