GPG signature - have I done this correctly?
by amikoyan from LinuxQuestions.org on (#5GK5Y)
I do not know how to verify a GPG signature correctly and thought I would try and learn with a slackbuild.
I did this:
Code:mik@Sbuilds:~$ gpg --fetch-keys http://slackbuilds.org/GPG-KEY
gpg: /home/mik/.gnupg/trustdb.gpg: trustdb created
gpg: key 9C7BA3B6: public key "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
mik@Sbuilds:~$ gpg --verify libsodium.tar.gz.asc
gpg: assuming signed data in `libsodium.tar.gz'
gpg: Signature made Sun 18 Aug 2019 02:08:02 AM BST using DSA key ID 9C7BA3B6
gpg: Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D307 6BC3 E783 EE74 7F09 B8B7 0368 EF57 9C7B A3B6The output seems to indicate success:
Code:gpg: Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"but also failure:
Code:gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.libsodium.tar.gz.asc and libsodium.tar.gz are in the same directory.
My concern is not with the security of slackbuilds.org, which I trust and think is excellent, but whether I carried out the process correctly.
I want to learn the correct verification process before I stupidly download something 'bad' from elsewhere.
I did this:
Code:mik@Sbuilds:~$ gpg --fetch-keys http://slackbuilds.org/GPG-KEY
gpg: /home/mik/.gnupg/trustdb.gpg: trustdb created
gpg: key 9C7BA3B6: public key "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
mik@Sbuilds:~$ gpg --verify libsodium.tar.gz.asc
gpg: assuming signed data in `libsodium.tar.gz'
gpg: Signature made Sun 18 Aug 2019 02:08:02 AM BST using DSA key ID 9C7BA3B6
gpg: Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D307 6BC3 E783 EE74 7F09 B8B7 0368 EF57 9C7B A3B6The output seems to indicate success:
Code:gpg: Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"but also failure:
Code:gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.libsodium.tar.gz.asc and libsodium.tar.gz are in the same directory.
My concern is not with the security of slackbuilds.org, which I trust and think is excellent, but whether I carried out the process correctly.
I want to learn the correct verification process before I stupidly download something 'bad' from elsewhere.