On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote: > On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote: > > Yeah, sure, but:
> > What does this all mean? Why should I care? > > Where do I get GPG? > > Where do I get the samba codesigning key? How do I import it? How > > do I know I got the right one? > > What do I do if it doesn't verify? > I always wondered if someone uploaded a tarball with a trojan, what's > preventing them from updating the .asc file as well? It's a cryptographic signature that can only be produced using a specific key. Assuming that the key belongs to the party whose name is on it, and assuming that the key is well-protected from theft, and assuming that the algorithms used by PGP haven't been broken, you can be assured that the signature was made by the person it claims to have come from. Asking about, I've been pointed to <http://gnupg.org/gph/en/manual.html> as a general intro to GPG. -- Steve Langasek postmodern programmer
msg04559/pgp00000.pgp
Description: PGP signature
