[Catalog-sig] How to verify cheeseshop signatures?
Phillip J. Eby
pje at telecommunity.com
Sun Oct 23 18:02:17 CEST 2005
>Jp Calderone wrote:
> > The required key is indicated in the message. You just need to
> retrieve it:
> >
> > gpg --import 41C6E930
> >
> > Re-running --verify should now work.
It doesn't. I get "gpg: can't open `41C6E930': No such file or directory".
At 01:54 PM 10/23/2005 +0200, Martin v. Löwis wrote:
>Partially, yes: it will verify that the signature was made by the public
>key with that key ID. That doesn't mean you know for sure that the
>person you assume to be behind the key really is the "owner" of the key.
>
>For that, you would actually have to validate the public key, e.g. by
>looking at the signatures on the public key, and checking whether you
>recognize them, and whether you believe they would only sign keys for
>people they have verified in person.
>
>This is nothing cheeseshop could help with: the web of trust really is
>between people, not between technology.
So, from a practical perspective, the current signature implementation is
of no use whatsoever to the vast majority of cheeseshop users.
It seems like it would make more sense to use a format that includes a
certificate signature chain (as with Ruby Gems). Having to manually track
the keys of individual authors sort of goes against the whole point.
More information about the Catalog-sig
mailing list