can someone verify the gnupg Fingerprint for pubkey?

Peter Lebbing peter at digitalbrains.com
Sat Jun 9 22:14:27 CEST 2012


On 09/06/12 20:47, Robert J. Hansen wrote:
> On 06/09/2012 11:57 AM, Peter Lebbing wrote:
>> Suppose you would want to build from the vanilla source downloaded from
>> gnupg.org and signed by "Werner Koch (dist sig)", how would you verify
>> authenticity of that key?
> 
> I don't understand where this question is going.  I would find some
> trusted path, obviously.  If I contact the maintainer and am told, "I
> download packages and check they are signed with this fingerprint ID,"
> well, then I'm already transitively validating-by-fiat that fingerprint
> ID.

Where the question is going is rather simple: what would you recommend Joe
Average User to do to verify the authenticity of the GnuPG source he downloaded,
not questioning his desire to build from that source.

Contacting the package maintainer of your Linux distribution seems a good
method. You could ask them to sign the dist sig instead, and publish it on the
keyserver. Then anybody who trusts the distribution will be able to infer trust
for the dist sig.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt



More information about the Gnupg-users mailing list