Re: [pcre-dev] How to verify signature for 10.36

Top Page
Delete this message
Author: Petr Pisar
Date:  
To: pcre-dev
Subject: Re: [pcre-dev] How to verify signature for 10.36
V Mon, Mar 22, 2021 at 01:25:59PM -0700, Sumonto Ghosh via Pcre-dev napsal(a):
> I did the following however I don't know how to get rid of the warning,
> (Any help appreciated)
>
> ~/Downloads ❯ gpg --list-keys
> ~/Downloads ❯ gpg --keyserver ipv4.pool.sks-keyservers.net --search-keys
> "Philip Hazel"
> gpg: data source: http://4.35.226.103:11371
> (1)     Philip Hazel <ph10@???>
>           2048 bit RSA key A4C4952AFB0F43D8, created: 2014-06-16 (revoked)
> (2)     Philip Hazel <ph10@???>
>         Philip Hazel <ph10@???>
>         Philip Hazel <ph10@???>
>           2048 bit RSA key 9766E084FB0F43D8, created: 2002-10-21
> Keys 1-2 of 2 for "Philip Hazel".  Enter number(s), N)ext, or Q)uit > 2
> gpg: key 9766E084FB0F43D8: 1 duplicate signature removed
> gpg: key 9766E084FB0F43D8: public key "Philip Hazel <ph10@???>"
> imported
> gpg: Total number processed: 1
> gpg:               imported: 1
> ~/Downloads took 4s ❯ gpg --verify pcre2-10.36.zip.sig pcre2-10.36.zip
> gpg: Signature made Fri Dec  4 06:29:04 2020 PST
> gpg:                using RSA key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
> gpg: Good signature from "Philip Hazel <ph10@???>" [unknown]
> gpg:                 aka "Philip Hazel <ph10@???>" [unknown]
> gpg:                 aka "Philip Hazel <ph10@???>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 45F6 8D54 BBE2 3FB3 039B  46E5 9766 E084 FB0F 43D8

>

You did it right. The warning says wath it says. The "gpg --verify" command
successfully verified that the signature matches the tar ball and the public
key. But it also says that there was no way of verifying autenticity of the
public key. In other words, either all three parts (key, signature, tar ball)
are genuine, or the key and the signature (and maybe the tar ball) are faked.

The only way how to deal with it is obtain Philip's key in a secure way
direcly from Philip (that's not downloading it from a random Internet server,
like ipv4.pool.sks-keyservers.net), or you can delegate the key verification
to someone else who has already signed Philip's key and you've already got the
someone's key in a secure way.

You can get a list of the signatures with "gpg --list-sigs
45F68D54BBE23FB3039B46E59766E084FB0F43D8" command. There are 122 of them now.
So your problem of the authenticity of Philip's key reduces to an authenticity
of one (or more) of the 122 foreign keys. If you iterate recursively for all
the keys, you will maybe find someone whose key you trust.

See <https://gnupg.org/faq/gnupg-faq.html#how_to_validate>, if you don't
believe me.

> ================================================================================================
> I also tried importing it, but same warning
>

You've already imported the key from the keyserver. You can see that the key
ID matches. It's won't improve your situation in any way.

-- Petr