[Catalog-sig] How to verify cheeseshop signatures?

"Martin v. Löwis" martin at v.loewis.de
Sun Oct 23 13:54:23 CEST 2005

Jp Calderone wrote:
> The required key is indicated in the message.  You just need to retrieve it:
> gpg --import 41C6E930
> Re-running --verify should now work.

Partially, yes: it will verify that the signature was made by the public
key with that key ID. That doesn't mean you know for sure that the
person you assume to be behind the key really is the "owner" of the key.

For that, you would actually have to validate the public key, e.g. by
looking at the signatures on the public key, and checking whether you
recognize them, and whether you believe they would only sign keys for
people they have verified in person.

This is nothing cheeseshop could help with: the web of trust really is
between people, not between technology.


More information about the Catalog-sig mailing list