[systemd-devel] Verify the gpg signature of the given tag
Mantas Mikulėnas
grawity at gmail.com
Wed May 11 11:04:31 UTC 2016
On Wed, May 11, 2016 at 10:57 AM, poma <pomidorabelisima at gmail.com> wrote:
>
> $ git tag --verify v229
> object 95adafc428b5b4be0ddd4d43a7b96658390388bc
> type commit
> tag v229
> tagger Lennart Poettering <lennart at poettering.net> 1455208658 +0100
>
> systemd 229
> gpg: Signature made Thu 11 Feb 2016 05:37:38 PM CET using RSA key ID
> 9C3485B0
> gpg: Good signature from "Lennart Poettering <lennart at poettering.net>"
> gpg: aka "Lennart Poettering <lennart at poettering.de>"
> gpg: aka "Lennart Poettering (Red Hat) <
> lpoetter at redhat.com>"
> gpg: aka "Lennart Poettering (Sourceforge.net) <
> poettering at users.sourceforge.net>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 63CD A1E5 D3FC 22B9 98D2 0DD6 327F 2695 1A01 5CC4
> Subkey fingerprint: 16B1 C4EE C0BC 021A C777 F681 B63B 2187 9C34 85B0
>
>
> How to do this without "gpg: WARNING:" part?
>
In the pgp trust model – assuming you've already verified the key and are
sure that it really belongs to Lennart – you need to sign (certify) it
either with a public or local signature:
$ gpg --lsign-key "63CD A1E5 D3FC 22B9 98D2 0DD6 327F 2695 1A01 5CC4"
In the tofu or tofu+pgp trust model, mark it as good in tofu.db:
$ gpg --tofu-policy good "63CD A1E5 D3FC 22B9 98D2 0DD6 327F 2695 1A01
5CC4"
(You can try out the new models using "gpg --update-trustdb --trust-model
tofu+pgp".)
--
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20160511/75a2f845/attachment-0001.html>
More information about the systemd-devel
mailing list