The wiki page for the recent OpenSSL vulnerability offers a perl script for checking keys, and a gpg signature for that script, and a key id for that signature (that of Florian Weimer)
I can import the key as shown, and show that the script was indeed signed by that key. However, gpg warns me that it can't tell that that key indeed belongs to Florian Weimer. How can I fill in that gap, to properly verify the file? I have signed keys of several people who have been to keysigning parties at several debconfs, so I feel I should have a trust path to anybody of significance in the Debian community - though I could be proved wrong. I've also added the debian keyserver to my ~/.gnupg/options, as well as the keyring from the debian-keyring package. Is there a step I'm missing? Thanks, Richard -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
