Hi Mike, at first: This is a mailinglist for people writing documentation for KDE - not a support list, there are other ones :) [0]
> However, when I look this signature up using the "Lookup Certificates on > Server" button, or when using an independent website, it looks like a valid > signature. Am I doing something wrong? This doesn't make sense to me. Do I > need to do something else, or is this an invalid signature? Frankly I don't use Kleopatra, so I can't tell you. However I'll show you how you'd to it via the commandline. First you download the file you want + it's signature, just as you did. Then you import the keys from the URL (I think there was a description in it, but in general you download it and use "gpg --import _file_withkeys_" (you can also use "gpg --recv-keys _keyID_") You need to do that step, to verify the signature. Now you can exactly that by: "gpg --verify apache-ant-1.8.2-bin.zip.asc apache-ant-1.8.2-bin.zip" This should give you a message like this one: gpg: Signature made Mon Dec 20 19:50:22 2010 CET using RSA key ID 82A7FBCD gpg: Good signature from "Antoine Levy-Lambert (CODE SIGNING KEY) <antoine at apache.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0BAD E59B 0EC2 4E68 C03C A481 5EFA D9FE 82A7 FBCD Which basicly explains itself. The Signature fit's the key, though you don't really know if Antoine Levy-Lambert is really who he claims he is. You'd need to participate in the web of trust to get rid of that, but you can write me a personal email if you want to know more about that. Regards, Michael [0] http://kde.org/support/mailinglists/ [the kde one is the the right one] -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: <http://mail.kde.org/pipermail/kde-doc-english/attachments/20120205/663c8d82/attachment.sig>
