I'm trying to validate the integrity of my httpd-2.2.17.tar.gz image.
I followed the steps written in the following pages:
- http://httpd.apache.org/download.cgi#verify
- http://httpd.apache.org/dev/verification.html#Validating
But I got:
WARNING: This key is not certified
with a trusted signature!
gpg: There
is no indication that the signature
belongs to the owner.
What I need to do in order to verify the authenticity of the key?
Best Answer
The usual means of verification is to contact the key owner and ask him/her to provide you (over the phone, or in person) with their key fingerprint. If you have strong reason to believe you are actually speaking to the person identified by the key, AND if the fingerprint the person provides matches the fingerprint of the key you have, THEN you can be quite certain you have the owner's real public key (and NOT a counterfeit key, created by an imposter for the purpose of impersonating that person).
Once you have verified the authenticity of the key to your satisfaction, you should sign that public key with your own private key. Once you've signed the key, you will no longer get those WARNINGs, because by signing it, you have indicated that you believe the key to be authentic.