Thank you. On Thu, Sep 6, 2012 at 9:51 AM, Chris Hostetter <hossman_luc...@fucit.org>wrote:
> > : gpg: Signature made 08/06/12 19:52:21 Pacific Daylight Time using RSA key > : ID 322 > : D7ECA > : gpg: Good signature from "Robert Muir (Code Signing Key) < > rm...@apache.org>" > : *gpg: WARNING: This key is not certified with a trusted signature!* > : gpg: There is no indication that the signature belongs to the > : owner. > : Primary key fingerprint: 6661 9BA3 C030 DD55 3625 1303 817A E1DD 322D > 7ECA > : > : Is this acceptable ? > > I guess it depends on what you mean by acceptible? > > I'm not an expert on this, but as i understand it... > > gpg is telling you that it confirmed the signature matches a known key > named "Robert Muir (Code Signing Key)" which is in your keyring, but that > there is no certified level of trust association with that key. > > Key Trust is a personal thing, specific to you, your keyring, and how you > got the keys you put in that ring. if you trust that the KEYS file you > downloaded from apache.org is legitimate, and that all the keys in it > should be trusted, you can tell gpg that. (using the "trust" > interactive command when using --edit-key) > > Alternatively, you could tell gpg that you have a high level of trust in > the key of some other person you have met personally -- ie: if you met Uwe > at a confernce and he physically handed you his key on a USB drive -- and > then if Uwe has signed Robert's key with his own (i think it has, not sure > off the top of my head), then gpg would extend an implicit transitive > trust to Robert's key... > > http://www.gnupg.org/gph/en/manual.html#AEN335 > > > -Hoss >