Mailing List Archive

On Tue, Nov 23, 1999 at 04:39:32PM +0100
Markus Konstroffer wrote:

> File to check signature against [gnupg-1.0.0.tar.gz]:
> Signature by unknown keyid: 0x0C9857A5

This is my old old RSA key. Use *tar.gz.asc one. See
http://www.gnupg.org/download.htm

> ftp://ftp.gnupg.org/pub/gcrypt/gnupg/

This is the primary FTP server.


--
Werner Koch at guug.de www.openIT.de keyid 621CC013

So what is the answer to my question?

Why does it say the package is signed by Werner Koch and has to be signed
by him to be safe to install, but it is not signed with one of his keys?

Remember: I downloaded the package from
ftp://ftp.gnupg.org/pub/gcrypt/gnupg/

and not a mirror-site.

Thank you for your help!
Markus

On Tue, 30 Nov 1999, J Horacio MG wrote:

> El mar, 23 de nov de 1999, a las 04:39:32 +0100, Markus Konstroffer dijo:
> > Signature by unknown keyid: 0x0C9857A5
> >
> > The Key-ID of Werner Koch is:
> > pub 1024 0x57548DCD 1998-07-07 2002-12-29 DSS Sign only
> > uid Werner Koch (gnupg sig) <dd9jn@gnu.org>
> >
> > Who signed the package? Is it safe to install it? I downloaded it from
> > ftp://ftp.gnupg.org/pub/gcrypt/gnupg/
>
> h0rus:~$ gpg --list-keys Koch
> pub 768R/0C9857A5 1995-09-30 Werner Koch <werner.koch@guug.de>
>
> pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) <dd9jn@gnu.org>
>
> pub 1024D/5B0358A2 1999-03-15 Werner Koch
>
> but this doesn't prove it is his key, and this key IS NOT signed with
> any other but itself, and again, his 57548DCD is not signed with
> 0C9857A5. Well, even if they were... who would know?
>
>
> Regards,
>
> --
> Horacio Anno MMDCCLII ad Urbe condita
> mailto:homega@ciberia.es
> ~ Spain ~Spanje ~ Spanien
> --------------------------------------------------------------------
> Key fingerprint = F4EE AE5E 2F01 0DB3 62F2 A9F4 AD31 7093 4233 7AE6
>

Thank you very much, that answers my question.

Regards
Markus

On Tue, 30 Nov 1999, Werner Koch wrote:

> On Tue, Nov 23, 1999 at 04:39:32PM +0100
> Markus Konstroffer wrote:
>
> > File to check signature against [gnupg-1.0.0.tar.gz]:
> > Signature by unknown keyid: 0x0C9857A5
>
> This is my old old RSA key. Use *tar.gz.asc one. See
> http://www.gnupg.org/download.htm
>
> > ftp://ftp.gnupg.org/pub/gcrypt/gnupg/
>
> This is the primary FTP server.
>
>
> --
> Werner Koch at guug.de www.openIT.de keyid 621CC013
>

El mié, 01 de dic de 1999, a las 11:09:36 +0100, Markus Konstroffer dijo:
> So what is the answer to my question?
>
> Why does it say the package is signed by Werner Koch and has to be signed
> by him to be safe to install, but it is not signed with one of his keys?
>
> Remember: I downloaded the package from
> ftp://ftp.gnupg.org/pub/gcrypt/gnupg/
>
> and not a mirror-site.

It is signed with his key, but with a "detached signature" (have a look
at the manual on www.gnupg.org for detached sigs). This means that you
must download the source tarball and the detached signature(s):

gnupg-1.0.0.tar.gz
gnupg-1.0.0.tar.gz.asc
^^^
then (with both files in the same directory) verify the sig:

gpg --verify gnupg-1.0.0.tar.gz.asc


or, if you have PGP 5.x installed:

His old RSA key is around just in case you don't have a version of GnuPG
installed and you want to verify it with PGP 2.x (I believe that is
gnupg-1.0.0.tar.gz.sig)


HTH

--
Horacio Anno MMDCCLII ad Urbe condita
mailto:homega@ciberia.es
~ Spain ~Spanje ~ Spanien
--------------------------------------------------------------------
Key fingerprint = F4EE AE5E 2F01 0DB3 62F2 A9F4 AD31 7093 4233 7AE6

J Horacio MG wrote:

[signature]
>but this doesn't prove it is his key, and this key IS NOT signed with
>any other but itself, and again, his 57548DCD is not signed with
>0C9857A5. Well, even if they were... who would know?

Thus the signature of the GnuPG package is a dazzle -- werner's current
public key is neither incorporated into a web-of-trust nor certified by
any CA, which is a non-tolerable situation for such an ambitious
project.

On Sat, Dec 04, 1999 at 08:14:17PM +0100
Thilo Barth wrote:

> Thus the signature of the GnuPG package is a dazzle -- werner's current
> public key is neither incorporated into a web-of-trust nor certified by
> any CA, which is a non-tolerable situation for such an ambitious

Did you read the README? Did you noticed that it is signed with my
old RSA key which in turn is very good connected and printed in the
GTR? The fingerprint of the signing key is inside this README file
(see "How to verify the source" point a). Furthermore the signing key
57548DCD is signed by my signature-only key 5B0358A2 which in turn is
signed by my old RSA key.

So where is the problem?


--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Werner Koch <wk@gnupg.org> wrote:
> Thilo Barth wrote:
>> Thus the signature of the GnuPG package is a dazzle -- werner's current
>> public key is neither incorporated into a web-of-trust nor certified by
>> any CA, which is a non-tolerable situation for such an ambitious
>
>Did you read the README? Did you noticed that it is signed with my
>old RSA key which in turn is very good connected and printed in the
>GTR? The fingerprint of the signing key is inside this README file

Yes, in fact I did, once upon a time, but whilst reading and replying
the message I was referring to I did not consult my long-term memory.
My apologies.

>So where is the problem?

Some people are still used to be confronted with only ONE key which
serves for all sort of purposes. They have to think over again.