On Fri, Nov 27, 2015 at 12:54:42PM +0100, [email protected] wrote:
> On Fri, Nov 27, 2015 at 09:06:02AM +0100, Petter Reinholdtsen wrote:
> > 
> > Package: cpm
> > Version: 0.32-1
> > Severity: important
> > 
> > When I try to access the password database for a association where I am
> > a member and which is encrypted using one of my keys, I get this error:
> > 
> >   GpgMe verify error
> > 
> >   Database signed with keys of unknown validity. You must trust the key
> >   with fingerprint <key-fingerprint> before proceeding
[snip]

> The reason why CPM needs you to trust the signer is one of security;
> if you are sharing a password database, and a new user appears
> replaces the database, this database could contain misinformation.

What I wrote is for the case where there is no trust chain, however
on second read, what is more particular is what you write here:

> The key with the given fingerprint (replaced with <key-fingerprint>
> above) is one I have not signed, but it is signed by a key I have
> signed.

That is a shame, as I would expect GpgMe, the underlying GPG library,
to follow WoT-style signature chains. 

I'll look into whether this is an option we haven't enabled in GpgMe or
whether to kick this upstream to the GpgMe authors.

-Kacper

Reply via email to