On Fri, Nov 27, 2015 at 12:54:42PM +0100, [email protected] wrote: > On Fri, Nov 27, 2015 at 09:06:02AM +0100, Petter Reinholdtsen wrote: > > > > Package: cpm > > Version: 0.32-1 > > Severity: important > > > > When I try to access the password database for a association where I am > > a member and which is encrypted using one of my keys, I get this error: > > > > GpgMe verify error > > > > Database signed with keys of unknown validity. You must trust the key > > with fingerprint <key-fingerprint> before proceeding [snip]
> The reason why CPM needs you to trust the signer is one of security; > if you are sharing a password database, and a new user appears > replaces the database, this database could contain misinformation. What I wrote is for the case where there is no trust chain, however on second read, what is more particular is what you write here: > The key with the given fingerprint (replaced with <key-fingerprint> > above) is one I have not signed, but it is signed by a key I have > signed. That is a shame, as I would expect GpgMe, the underlying GPG library, to follow WoT-style signature chains. I'll look into whether this is an option we haven't enabled in GpgMe or whether to kick this upstream to the GpgMe authors. -Kacper

