[Catalog-sig] How to verify cheeseshop signatures?

Phillip J. Eby pje at telecommunity.com
Sun Oct 23 18:02:17 CEST 2005

>Jp Calderone wrote:
> > The required key is indicated in the message.  You just need to 
> retrieve it:
> >
> > gpg --import 41C6E930
> >
> > Re-running --verify should now work.

It doesn't.  I get "gpg: can't open `41C6E930': No such file or directory".

At 01:54 PM 10/23/2005 +0200, Martin v. Löwis wrote:
>Partially, yes: it will verify that the signature was made by the public
>key with that key ID. That doesn't mean you know for sure that the
>person you assume to be behind the key really is the "owner" of the key.
>For that, you would actually have to validate the public key, e.g. by
>looking at the signatures on the public key, and checking whether you
>recognize them, and whether you believe they would only sign keys for
>people they have verified in person.
>This is nothing cheeseshop could help with: the web of trust really is
>between people, not between technology.

So, from a practical perspective, the current signature implementation is 
of no use whatsoever to the vast majority of cheeseshop users.

It seems like it would make more sense to use a format that includes a 
certificate signature chain (as with Ruby Gems).  Having to manually track 
the keys of individual authors sort of goes against the whole point.

More information about the Catalog-sig mailing list