Date: Fri, 21 Mar 2003 09:20:38 +0100 From: Stijn Hoop <stijn@win.tue.nl> To: budsz <budsz@kumprang.or.id> Cc: FreeBSD-Security <freebsd-security@FreeBSD.ORG> Subject: Re: About *.asc Message-ID: <20030321082038.GC54854@pcwin002.win.tue.nl> In-Reply-To: <20030321081451.GA13163@kumprang.or.id> References: <20030321081451.GA13163@kumprang.or.id>
next in thread | previous in thread | raw e-mail | index | archive | help
--48TaNjbzBVislYPb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 21, 2003 at 03:14:51PM +0700, budsz wrote: > I was search in web resource about this problem, mailing list etc, today > I get some advisory from FreeBSD security about trouble, so I try to veri= fy=20 > the *asc: >=20 > $ gpg --verify xdr-5.patch.asc > gpg: Signature made Thu Mar 20 08:10:01 2003 WIT using DSA key ID > CA6CDFB2 > gpg: Good signature from "FreeBSD Security Officer <security-officer@Free= BSD.org>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: C374 0FC5 69A6 FBB1 4AED B131 15D6 8804 CA6C > DFB2 >=20 > What happen about warning message, Would you give me some clue pls. You need to tell gpg that you trust the fact that that key is indeed the one that the people at FreeBSD use to sign the advisory. In other words, gpg has verified that the digital signature was not tampered with, but there is no way for gpg to know whether it was really the FreeBSD security officer key -- anyone can create a key saying that they are the security officer. You can verify that it is the correct key by comparing the fingerprint to a trusted source of fingerprints. The most secure solution is to go up to the security officer in person and compare the key fingerprints by hand, but th= is is of course not practical. For most purposes it is enough to compare the fingerprint with the one on the web at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pgpkeys.html#PGPK= EYS-OFFICERS But it's up to you to assign a level of trust in these procedures (how secu= re is the FreeBSD web site? etc). To tell gpg that you trust that this is the key used by the FreeBSD officer: $ gpg --edit-key security-officer@freebsd.org enter 'trust' and then e.g. '4'. HTH, --Stijn --=20 If today is the first day of the rest of your life, what the hell was yesterday? --48TaNjbzBVislYPb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+estWY3r/tLQmfWcRAq9aAJ9hhIb9qjoguQ2X8dM5SCCdIkVL1ACdG6n3 ENIF2bj70tXT35CWl4rxKjw= =/YEc -----END PGP SIGNATURE----- --48TaNjbzBVislYPb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030321082038.GC54854>