Mark Brouwer schrieb: > Also I tried to verify the distributions, I imported the KEYS file and > received the keys of Jim, Frank and Jukka but all I get is this.
> gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > So what is going wrong here? In PGP, you have to set the "key (owner) trust". Just importing the key does of course not mean that you trust the key. The usual procedure is to contact the key owner over a secure medium (ideally f2f) to cross-check the fingerprint of the key. Then you can set the key trust, and will mostly sign his key, so that all other PGP users can see that you trust this key. This trust is calculated in a transitive way, so if you trust Jim Hurley's Key "ultimately", you automatically trust Frank Barnaby's key because of Jim's signature of Frank's key. Unfornately there is nothing like a root CA in PGP - that's why it is _web_ of trust - so this warning will appear at anyone who doesn't trust e.g. one of the ASF members' key. There is something called like "inner ring", but even that is not installed with gpg normally, unlike the root CA certificates delivered with web browsers. hth Matthias
