Joe Drew <[EMAIL PROTECTED]> writes: > gpg: Signature made Wed Sep 15 12:08:31 1999 EDT using DSA key ID 2FA3BC2D > gpg: Good signature from "Wichert Akkerman <[EMAIL PROTECTED]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > gpg: Fingerprint: 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D > > I get this with every signature verification. It didn't mention > anything about trusted signatures, etc., in the keysigning-howto. Is > it just an annoyance or can I set up something with my trustdb in > gpg which will stop this? (Is there one person who signs all Debian > developer keys?)
It's just saying that you don't know if the key really belongs to Wichert. Given that this key only seems to have been signed by Ray Dassen and itself, in order to trust it you'd either have to tell gpg that you know that it's Wichert's key (presumably just after getting back from a key-signing) or you'd have to tell it that you trusted Ray to do that check for you (do you know him ?). In the absence of either of these, gpg is correct in telling you that you don't know if that key is really Wichert's or not. If you actually know Ray, and you have good reason to believe that the key used to sign this key was Ray's, and you trust him not to go round signing keys without justification, then you could tell gpg about this, by editing his key (with --edit-key) and using the ``trust'' command to tell it how much you trust him. Cheers, Phil.
