It means that gpg can not verify that the Linux Kernel Archives
Verification Key is what it says it is; the tarball has been signed
with that key, but there is no assurance that both the key and tarball
haven't been modified. What it boils down to is whether or not you
trust that the key you have is the real key you want.
Read the gpg docs for more info on trust.
--
On Wed, 15 Mar 2000, Martin Bishop wrote:
Hi,
I've search the mailing list archives and couldn't find
the answer so I'm trying here hoping someone could
help.
When I run:
gpg --verify linux-2.3.41.tar.bz2.sign linux-2.3.41.tar.bz2
I get this result:
gpg: Signature made Sat Jan 29 10:18:19 2000 EST using DSA key ID 1E1A8782
gpg: Good signature from Linux Kernel Archives Verification Key [EMAIL
PROTECTED]
Could not find a valid trust path to the key. Let's see whether we
can assign some missing owner trust values.
No path leading to one of our keys found.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
gpg: Fingerprint: 9DB4 C3A4 EF2A 3111 9072 82F3 F2A5 75DC 1E1A 8782
My question:
Does this means that the linux-2.3.41.tar.bz2 is no good or
that the sign file is no good?
I got the public signature key from here:
http://www.kernel.org/signature.html; and
I've imported this key.
Any help is appreciated.
MB.
--
Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
later,
Bruce
