On Wed, Sep 14, 2011 at 10:46:17AM -0700, Big Momma wrote: > I am using Ubuntu 10.04 and have the following line in my > /etc/apt/sources.list > > deb http://deb.torproject.org/torproject.org lucid main > > I then followed the instructions here > > https://www.torproject.org/docs/debian.html.en > > Why are there 3 new signatures? What does this mean? Thanks. > > gpg --keyserver keys.gnupg.net --recv 886DDD89 > gpg: requesting key 886DDD89 from hkp server keys.gnupg.net > gpg: key 886DDD89: "deb.torproject.org archive signing key" 3 new signatures > gpg: no ultimately trusted keys found > gpg: Total number processed: 1 > gpg: new signatures: 3
It means you had a copy of the key already, and now you downloaded a few more signatures on the key, which can be used to improve your trust in it if you recognize and trust any of the keys that signed it. Do a "gpg --list-sigs 886DDD89" and you'll see (assuming you import the other keys too) something like: $ gpg --list-sigs 886DDD89 pub 2048R/886DDD89 2009-09-04 [expires: 2014-09-03] uid deb.torproject.org archive signing key sig 3 886DDD89 2009-09-04 deb.torproject.org archive signing key sig 3 94C09C7F 2009-09-04 Peter Palfrader sig 28988BF5 2009-09-11 Roger Dingledine <[email protected]> sig 31B0974B 2009-09-13 Andrew Lewman (phobos) <[email protected]> sig 639F6A66 2010-02-03 Adam Nichols <[email protected]> sig 5B172AB2 2010-02-18 Sven Lucke (Verschlüsselung) <[email protected]> sig A1A1BC05 2010-02-19 Sven Lucke (Neuer Schlüssel) <[email protected]> sig 27A1C89A 2010-10-17 z00z00z00 <[email protected]> sig 6F10FC42 2010-11-05 [User ID not found] sig 7B5D666B 2010-09-16 robbiemacg <[email protected]> sig 3 29606E77 2010-11-15 lilo <[email protected]> sig 339A7FA8 2010-09-23 Chris Jordan <[email protected]> sig 5B54D68C 2010-10-22 James O. Christie <[email protected]> sig FDA28A1A 2011-06-30 [User ID not found] sub 2048R/219EC810 2009-09-04 [expires: 2012-09-03] sig 886DDD89 2009-09-04 deb.torproject.org archive signing key In the PGP web of trust idea, anybody who wants to can sign a key for whatever reason they choose. Some more people chose to sign the key since you last fetched a copy. Nothing to worry about. --Roger _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
