[Catalog-sig] How to verify cheeseshop signatures?

Phillip J. Eby pje at telecommunity.com
Sun Oct 23 19:39:38 CEST 2005

At 07:07 PM 10/23/2005 +0200, Martin v. Löwis wrote:
>I can't speak for the vast majority of the cheeseshop users; the vast
>majority of regular GPG users who ever signed somebody else's key is
>probably able to find a chain of trust to Richard Jones.

I'm making the (not unreasonable) assumption that most cheeseshop users 
either don't have, or at least don't know how to use GPG, and therefore 
don't have any trust chain at all.

>>It seems like it would make more sense to use a format that includes a 
>>certificate signature chain (as with Ruby Gems).  Having to manually 
>>track the keys of individual authors sort of goes against the whole point.
>Why is that any better? Where do I get a code-signing certificate from?

Since as you've already pointed out, merely knowing that it's Richard Jones 
doesn't prove the code isn't malware, then it would suffice for the 
cheeseshop to certify that a particular public key belongs to the person 
who registered under a particular author ID.

Mostly, I'm just feeling frustrated because this looks like an awful lot of 
tricky design work is needed to make this whole thing work for people who 
are not crypto experts.  (And by "crypto expert", I mean anybody who 
actually understands how to use GPG, which is to say, not me.  :) )

More information about the Catalog-sig mailing list