certification of signatures

mike mikereape at onetel.com
Fri Oct 17 18:06:23 UTC 2008


Hi,

I have a real basic question about verifying your download for Fedora 7,
8 and 9.  I'm new to keys, signatures, certification, etc. and I haven't
been able to find what I need in the Fedora help resources.  Apologies 
if this is the wrong place to post or if a similar post appears (not 
sure that it was lost).

The following is for Fedora 9.  I downloaded the iso on May 8th and 
SHA1SUM on September 2 from the Kent mirrorservice in the UK.

If I follow the instructions at http://fedoraproject.org/en/verify I get:

[mike at desktop iso]$ gpg --verify SHA1SUM
gpg: Signature made Thu 08 May 2008 03:03:44 BST using DSA key ID 4F2A6FD2
gpg: Good signature from "Fedora Project <fedora at redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: CAB4 4B99 6F27 744E 8612  7CDF B442 69D0 4F2A 6FD2
[mike at desktop iso]$

My question is do I need to worry about the lack of certification?  If I
do how do I check that the signature is certified?  Also, does this have 
anything to do with the migration to new package keys?

I've searched the forum and mailing list and have looked at the various 
manuals, etc. for gnugpg but can't find what I'm looking for.

Thanks for any help,
Mike








More information about the users mailing list