On Wed, Mar 18, 2009 at 05:24:12PM +0530, Vinay M wrote: > Hi, > > When I run command "gpg --verify <file.sig>" I get the below mentioned > warning. > > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > > 1. I want to avoid this warning. How do I do that ? > 2. Is this avoidable if I go with a trusted signature? > 3. What does this warning exactly mean ?
It means that you haven't signed the key that you are using to check the signature, and GnuPG isn't able to validate the key with your web-of-trust. Going back to basics for a moment... You have got this signed file from somewhere. You have also obtained the key which claims to be from the sender. You might have got the key from a public keyserver, or possibly from somewhere else. How do you know that the key really is owned by the person it claims? Anyone can upload a key to a keyserver claiming to be from anyone. I could upload a key to a keyserver with the id "[email protected]" and you would then download it. You need to build yourself a web-of-trust by doing some keysigning. I suggest reading the GNU Privacy Handbook, on the GnuPG website, and if you still have questions, come back and ask... -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2 Almondsbury | Work Email: [email protected] BRISTOL, BS32 4SQ | Home Email: [email protected] _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
