[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New Signatures after using gpg?

On Wed, Sep 14, 2011 at 10:46:17AM -0700, Big Momma wrote:
> I am using Ubuntu 10.04 and have the following line in my /etc/apt/sources.list
> deb http://deb.torproject.org/torproject.org lucid main
> I then followed the instructions here
> https://www.torproject.org/docs/debian.html.en
> Why are there 3 new signatures?  What does this mean?  Thanks. 
> gpg --keyserver keys.gnupg.net --recv 886DDD89
> gpg: requesting key 886DDD89 from hkp server keys.gnupg.net
> gpg: key 886DDD89: "deb.torproject.org archive signing key" 3 new signatures
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:         new signatures: 3

It means you had a copy of the key already, and now you downloaded a few
more signatures on the key, which can be used to improve your trust in it
if you recognize and trust any of the keys that signed it.

Do a "gpg --list-sigs 886DDD89" and you'll see (assuming you import
the other keys too) something like:

$ gpg --list-sigs 886DDD89
pub   2048R/886DDD89 2009-09-04 [expires: 2014-09-03]
uid                  deb.torproject.org archive signing key
sig 3        886DDD89 2009-09-04  deb.torproject.org archive signing key
sig 3        94C09C7F 2009-09-04  Peter Palfrader
sig          28988BF5 2009-09-11  Roger Dingledine <arma@xxxxxxx>
sig          31B0974B 2009-09-13  Andrew Lewman (phobos) <phobos@xxxxxxxxxx>
sig          639F6A66 2010-02-03  Adam Nichols <adam@xxxxxxxxx>
sig          5B172AB2 2010-02-18  Sven Lucke (Verschlüsselung) <svenlucke@xxxxxx>
sig          A1A1BC05 2010-02-19  Sven Lucke (Neuer Schlüssel) <luckesven@xxxxxx>
sig          27A1C89A 2010-10-17  z00z00z00 <z00z00z00@xxxxxxxx>
sig          6F10FC42 2010-11-05  [User ID not found]
sig          7B5D666B 2010-09-16  robbiemacg <publisher@xxxxxxxxxxxxxxxxxxxxxxx>
sig 3        29606E77 2010-11-15  lilo <al3lilo@xxxxxxxxxxxxx>
sig          339A7FA8 2010-09-23  Chris Jordan <jordanofspades@xxxxxxxxx>
sig          5B54D68C 2010-10-22  James O. Christie <jamesochristie@xxxxxxxxx>
sig          FDA28A1A 2011-06-30  [User ID not found]
sub   2048R/219EC810 2009-09-04 [expires: 2012-09-03]
sig          886DDD89 2009-09-04  deb.torproject.org archive signing key

In the PGP web of trust idea, anybody who wants to can sign a key for
whatever reason they choose. Some more people chose to sign the key since
you last fetched a copy. Nothing to worry about.


tor-talk mailing list