[Catalog-sig] How to verify cheeseshop signatures?

"Martin v. Löwis" martin at v.loewis.de
Sun Oct 23 20:07:30 CEST 2005

Phillip J. Eby wrote:
> Since as you've already pointed out, merely knowing that it's Richard 
> Jones doesn't prove the code isn't malware, then it would suffice for 
> the cheeseshop to certify that a particular public key belongs to the 
> person who registered under a particular author ID.

So the assumption is that the cheeseshop is trusted, right?

If so, the gpg keyid gives you the guarantee that you want: that the
package was really signed by the person of the particular author ID.

> Mostly, I'm just feeling frustrated because this looks like an awful lot 
> of tricky design work is needed to make this whole thing work for people 
> who are not crypto experts.  (And by "crypto expert", I mean anybody who 
> actually understands how to use GPG, which is to say, not me.  :) )

Depends on what you mean by "to work". If you get the package from
cheeseshop, you don't need to verify it, because the cheeseshop is
trusted. If you get it elsewhere, how do you verify it?


More information about the Catalog-sig mailing list