Key not trusted
Closed this issue · 1 comments
[crashbit@gt62vr-6re tmp]$ gpg --verify grub2-signing-extension-0.1.2.tar.gz.asc
gpg: assuming signed data in 'grub2-signing-extension-0.1.2.tar.gz'
gpg: Signature made diumenge, 5 d’agost de 2018, 22:03:40 CEST
gpg: using RSA key E2D7876915312785DC086BFCC1E133BC65A822DD
gpg: Good signature from "Bandie bandie@chaospott.de" [desconeguda]
gpg: aka "Bandie bandie@essen.ccc.de" [desconeguda]
gpg: AVÍS: Aquesta clau no ve certificada per una signatura de confiança!
gpg: No hi ha res que indique que la signatura pertany al seu propietari.
Empremtes digital de la clau primària: E2D7 8769 1531 2785 DC08 6BFC C1E1 33BC 65A8 22DD
Hi,
this is a pretty normal behaviour of gpg.
When you add someone's key to your gpg keyring it uses the trust level 'unknown' automatically. The idea of the trust level is for being able to trust someone else's key signed by one or more users with a (high) trusting level.
At the moment there are 5 trust levels you can set via gpg --edit-key <FINGERPRINT> followed by typing trust:
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
- is, as you can guess, unknown.
- is, you won't ever trust this key.
- Imagine person A, B and C are set with marginal trust. There's an unknown user D. If D is signed by at least 3 marginally trusted persons it will be trusted. So if A, B and C signed D, you will also trust D.
- is, you automatically trust those signatures of that person. You usually set that if you know that person does a fingerprint comparison correctly and knows how to assure if a person/key is trustworthy or not.
- is used for own keys only.
Links explaining all of this again:
https://gpgtools.tenderapp.com/kb/how-to/trusting-keys-and-why-this-signature-is-not-to-be-trusted
https://gpgtools.tenderapp.com/kb/faq/what-is-ownertrust-trust-levels-explained
I hope I could help you with that. :)