> > > Am I doing something wrong?
You have to install the signer's public key. I strongly agree, this should be documented step by step because it's very important. To get mr. Toseland's latest key run this: gpg --recv-keys 75941D88 Then you will have the chance to verify the signature. Some explanation: to verify a "real" (read: pen) signature you have to know how the original signature looks like. With public key cryptography things works in a different (and unusual) way, but still; you have to know the public key of the signer to check that the signature is valid. I found his public key searching for his name in the pgp.mit.edu keyserver: http://pgp.mit.edu:11371/pks/lookup?search=matthew+toseland&op=index The email used is the one he uses to participate in this mailing list ( t...@ampibian.dyndns.org) and the comment says "2010-2015 key". So, I thought, "it must be that one", and it is. (Yes, key can and in some cases should expire). So. With that command you can download and import his key from a server with the GPG utility. Then you can verify the signature. GPG will tell you that the signature is valid, but will still warn you; since the trust you put into the key is upon you. I mean: who's assuring that the key you got is REALLY mister Toseland's? But, as he said, you can't have a guarantee of that unless you use a costy X.509 certificate. So there's no escape. Still, checking a signature made with a self signed key is by far more secure that not doing any verify at all. Cheers, -- Fabio
_______________________________________________ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
