$ gpg httpd-2.0.55.tar.gz.asc
gpg: Signature made Monday 10 October 2005 07:05:15 AM IST using RSA key ID 10FDE075
gpg: Can't check signature: public key not found
没有 Key ID ,当然也就无法校验文件% gpg --verify apache_2.2.11-win32-x86-no_ssl.msi.asc
Warning: using insecure memory!
gpg: Signature made Wed Dec 10 15:32:32 2008 CST using RSA key ID CB9B9EC5
gpg: Can't check signature: No public key
所以要导入 key ID。 这里用 --recv-keys
% gpg --recv-keys CB9B9EC5
( or
Warning: using insecure memory!
gpg: requesting key CB9B9EC5 from hkp server keys.gnupg.net
gpg: key B55D9977: public key "William A. Rowe, Jr. <wrowe@rowe-clan.net>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1
导入完成后,再来校验,就OK了。
% gpg --verify apache_2.2.11-win32-x86-no_ssl.msi.asc
Warning: using insecure memory!
gpg: Signature made Wed Dec 10 15:32:32 2008 CST using RSA key ID CB9B9EC5
gpg: Good signature from "William A. Rowe, Jr. <wrowe@rowe-clan.net>"
gpg: aka "William A. Rowe, Jr. <wrowe@apache.org>"
gpg: aka "William A. Rowe, Jr. <william.rowe@springsource.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B1B9 6F45 DFBD CCF9 7401 9235 193F 180A B55D 9977
Subkey fingerprint: 6746 56C7 3897 2D5B D2A4
但是还可以看到有“WARNING: This key is not certified with a trusted signature!”这样的警告,意指这个 key 没有信任签名。
基本上你可以忽略这条信息。但如果你看着心里边不舒服,那就加上信任签名。当然了,首要前提是你确定这个 key 是绝对信得过的。
% gpg --edit-key B55D9977
Warning: using insecure memory!
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 4096R/B55D9977 created: 2008-04-09 expires: never usage: SC
trust: undefined validity: unknown
sub 4096R/CB9B9EC5 created: 2008-04-09 expires: 2009-07-03 usage: S
sub 4096R/C10FE28B created: 2008-04-09 expires: 2009-07-03 usage: E
sub 4096g/FF1392F5 created: 2008-04-09 expires: 2009-07-03 usage: E
[ unknown] (1). William A. Rowe, Jr. <wrowe@rowe-clan.net>
[ unknown] (2) William A. Rowe, Jr. <wrowe@apache.org>
[ unknown] (3)
Command> trust
pub 4096R/B55D9977 created: 2008-04-09 expires: never usage: SC
trust: undefined validity: unknown
sub 4096R/CB9B9EC5 created: 2008-04-09 expires: 2009-07-03 usage: S
sub 4096R/C10FE28B created: 2008-04-09 expires: 2009-07-03 usage: E
sub 4096g/FF1392F5 created: 2008-04-09 expires: 2009-07-03 usage: E
[ unknown] (1). William A. Rowe, Jr. <wrowe@rowe-clan.net>
[ unknown] (2) William A. Rowe, Jr. <wrowe@apache.org>
[ unknown] (3)
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 4096R/B55D9977 created: 2008-04-09 expires: never usage: SC
trust: ultimate validity: unknown
sub 4096R/CB9B9EC5 created: 2008-04-09 expires: 2009-07-03 usage: S
sub 4096R/C10FE28B created: 2008-04-09 expires: 2009-07-03 usage: E
sub 4096g/FF1392F5 created: 2008-04-09 expires: 2009-07-03 usage: E
[ unknown] (1). William A. Rowe, Jr. <wrowe@rowe-clan.net>
[ unknown] (2) William A. Rowe, Jr. <wrowe@apache.org>
[ unknown] (3) William A. Rowe, Jr. <william.rowe@springsource.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command> save
Key not changed so no update needed.
一定要选5才会绝对信任,在效验时也才不再会出现警示信息。
% gpg --verify apache_2.2.11-win32-x86-no_ssl.msi.asc
Warning: using insecure memory!
gpg: Signature made Wed Dec 10 15:32:32 2008 CST using RSA key ID CB9B9EC5
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Good signature from "William A. Rowe, Jr. <wrowe@rowe-clan.net>"
gpg: aka "William A. Rowe, Jr. <wrowe@apache.org>"
gpg:
留意 Good signature 那一行,清净了。
#安全技术
