[systemd-devel] Verify the gpg signature of the given tag

poma pomidorabelisima at gmail.com
Wed May 11 15:24:43 UTC 2016 

On 11.05.2016 13:04, Mantas Mikulėnas wrote:
> On Wed, May 11, 2016 at 10:57 AM, poma <pomidorabelisima at gmail.com> wrote:
> 
>>
>> $ git tag --verify v229
>> object 95adafc428b5b4be0ddd4d43a7b96658390388bc
>> type commit
>> tag v229
>> tagger Lennart Poettering <lennart at poettering.net> 1455208658 +0100
>>
>> systemd 229
>> gpg: Signature made Thu 11 Feb 2016 05:37:38 PM CET using RSA key ID
>> 9C3485B0
>> gpg: Good signature from "Lennart Poettering <lennart at poettering.net>"
>> gpg:                 aka "Lennart Poettering <lennart at poettering.de>"
>> gpg:                 aka "Lennart Poettering (Red Hat) <
>> lpoetter at redhat.com>"
>> gpg:                 aka "Lennart Poettering (Sourceforge.net) <
>> poettering at users.sourceforge.net>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the
>> owner.
>> Primary key fingerprint: 63CD A1E5 D3FC 22B9 98D2  0DD6 327F 2695 1A01 5CC4
>>      Subkey fingerprint: 16B1 C4EE C0BC 021A C777  F681 B63B 2187 9C34 85B0
>>
>>
>> How to do this without "gpg: WARNING:" part?
>>
> 
> In the pgp trust model – assuming you've already verified the key and are
> sure that it really belongs to Lennart – you need to sign (certify) it
> either with a public or local signature:
> 
> $ gpg --lsign-key "63CD A1E5 D3FC 22B9 98D2  0DD6 327F 2695 1A01 5CC4"
> 
> In the tofu or tofu+pgp trust model, mark it as good in tofu.db:
> 
> $ gpg --tofu-policy good "63CD A1E5 D3FC 22B9 98D2  0DD6 327F 2695 1A01
> 5CC4"
> 
> (You can try out the new models using "gpg --update-trustdb --trust-model
> tofu+pgp".)
> 


https://www.gnupg.org/news.html
GnuPG 2.1.10 released (2015-12-04)
"A new version of the modern branch of GnuPG has been released. The main features of this release are support for TOFU ..."

Fortunately or not,
Fedora still runs on diesel, i.e. 1.4.20 - "the classic portable version"
https://koji.fedoraproject.org/koji/packageinfo?packageID=453

so no Tofu in Fedora's kitchen, Mortadella only ;)

However reading upon
https://en.wikipedia.org/wiki/Trust_on_first_use
stands out what is called "strengths" -and- "weakness"
"... must initially validate every interaction ..."

This sounds rather naive,
or shall we say NA²IVE - "Not At All Intelligent Verification Engagement"


However, thanks for a great reference.

More information about the systemd-devel mailing list