I want to verify GPG4Win using Linux and the command line. I used the following steps and would like to know if it is in fact valid. I get the proper results but I’m not sure if it is just by accident.
Used Ubuntu Gnome 15.04 to verify GPG4Win 2.2.4
Download gpg4win-2-2-4.exe and gpg4win-2-2-4.exe.sig to ~/Downloads
gpg --keyserver keys.gnupg.net --recv-keys 0xEC70B1B8
gpg: requesting key EC70B1B8 from hkp server keys.gnupg.net
gpg: key EC70B1B8: public key "Intevation File Distribution Key <distribution- firstname.lastname@example.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
gpg --verify gpg4win-2.2.4.exe.sig gpg4win-2.2.4.exe
gpg: Signature made Wed 18 Mar 2015 05:09:38 AM EDT using DSA key ID EC70B1B8
gpg: Good signature from "Intevation File Distribution Key <email@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8
It looks good - the procedure’s correct. The ‘warning about key not certified with trusted signature’ is because you haven’t signed the key you downloaded (ID EC70B1B8). If you are happy with having checked their fingerprint and confirming that it is the same as you see on the gpg4win download page, you might sign the key for local use only. Then you will not get the warning.
Could you tell me how to sign the key or point me to the documentation?
the question you are trying to answer is:
How sure can you be that the cert you were using the verify the signature
actually belongs to us (Intevation)?
This is the “trust” question, you will find lots of documentation about it,
e.g. the “web of trust” is one of the methods that is used a lot with OpenPGP.
For Intevation, one way to build (some) trust is to use the certs in your
webbrowser to look at https://ca.intevation.de and compare the fingerprint.
ps.: Flattr Gpg4win at https://flattr.com/thing/2053326,
if you appreciate this answer and my work within the Gpg4win Initiative.
Before replying last time I did read about the gpg --sign & --verify & --import, having signing parties to build a web of trust etc.
The issue is the information is all over the place and difficult to understand for the beginner.
So, what I get out of all of this signing business is, what good is it if the general public can’t make sense of it?
Thanks for your help. I give up.
from your answer I understand that there is some frustration on your end.
I can relate to it, the “web of trust” is hard to understand and handle.
Unfortunately the problems it tries to solve is hard, too, so right now we cannot
offer you a good solution for the “trust question”.
Some approaches are being worked on (to give you the technical keywords: “trust on first use” like written down in the STEED proposal by Werner Koch). But it probably takes some time until there are enough good implementations.
If you also had a look at the Gpg4win Compendium, we are trying to explain some of the concepts in there. (And we appreciate feedback on it.)