You are not logged in.
Pages: 1
New to archlinux and unfamiliar with how to verify signatures using public keys. I've gotten this far:
gpg: assuming signed data in `./archlinux-2014.02.01-dual.iso'
gpg: Signature made Sat 01 Feb 2014 01:12:03 PM MST using RSA key ID 9741E8AC
gpg: using PGP trust model
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
gpg: binary signature, digest algorithm SHA1
As I understand it, now I need to make sure the public key is valid.
Any help is appreciated.
Offline
https://www.archlinux.org/developers/#pierre
Seems fine :-)
4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC = 4aa4767bbc9c4b1d18ae28b77f2d434b9741e8ac
RSA key ID 9741E8AC = PGP Key: 0x9741E8AC
Offline
The only way to get rid of that message is if the owner of the key gets it signed by other gpg users. Hint: hardly anyone does this, it requires organising a key-signing party. The current message you're getting is about as good as you are going to get.
Offline
Thanks for the responses. Your explanations and assurances are good enough for me!
Offline
You are asking the right questions. I once wrote an article about this: https://pierre-schmitz.com/trust-the-master-keys/
For my key you can check e.g. my blog and its ssl cert, previous posts by me, CAcert etc..
Offline
Pages: 1