警告信息“此密钥未经可信签名认证!”何时验证 apache :
wget https://downloads.apache.org/accumulo/1.10.2/accumulo-1.10.2-bin.tar.gz
wget https://downloads.apache.org/accumulo/1.10.2/accumulo-1.10.2-bin.tar.gz.asc
wget https://downloads.apache.org/accumulo/KEYS
gpg --import KEYS
gpg --verify accumulo-1.10.2-bin.tar.gz.asc accumulo-1.10.2-bin.tar.gz
出现错误信息:
gpg: Signature made Tue 08 Feb 2022 11:04:00 PM HKT
gpg: using RSA key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
gpg: Good signature from "Christopher L Tubbs II (Christopher) <[email protected]>" [unknown]
gpg: aka "Christopher L Tubbs II (Developer) <[email protected]>" [unknown]
gpg: aka "Christopher L Tubbs II (Developer) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8CC4 F8A2 B29C 2B04 0F2B 835D 6F0C DAE7 00B6 899D
我想完全信任它:
gpg --edit-key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/6F0CDAE700B6899D
created: 2012-10-13 expires: 2024-01-12 usage: SC
trust: full validity: unknown
sub rsa4096/2FFC0085C23D3DA9
created: 2012-10-13 expires: 2024-01-12 usage: E
sub rsa4096/4417A0C14245D003
created: 2013-04-28 expires: 2024-01-12 usage: A
[ unknown] (1). Christopher L Tubbs II (Christopher) <[email protected]>
[ unknown] (2) Christopher L Tubbs II (Developer) <[email protected]>
[ unknown] (3) Christopher L Tubbs II (Developer) <[email protected]>
gpg> trust
pub rsa4096/6F0CDAE700B6899D
created: 2012-10-13 expires: 2024-01-12 usage: SC
trust: full validity: unknown
sub rsa4096/2FFC0085C23D3DA9
created: 2012-10-13 expires: 2024-01-12 usage: E
sub rsa4096/4417A0C14245D003
created: 2013-04-28 expires: 2024-01-12 usage: A
[ unknown] (1). Christopher L Tubbs II (Christopher) <[email protected]>
[ unknown] (2) Christopher L Tubbs II (Developer) <[email protected]>
[ unknown] (3) Christopher L Tubbs II (Developer) <[email protected]>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 4
pub rsa4096/6F0CDAE700B6899D
created: 2012-10-13 expires: 2024-01-12 usage: SC
trust: full validity: unknown
sub rsa4096/2FFC0085C23D3DA9
created: 2012-10-13 expires: 2024-01-12 usage: E
sub rsa4096/4417A0C14245D003
created: 2013-04-28 expires: 2024-01-12 usage: A
[ unknown] (1). Christopher L Tubbs II (Christopher) <[email protected]>
[ unknown] (2) Christopher L Tubbs II (Developer) <[email protected]>
[ unknown] (3) Christopher L Tubbs II (Developer) <[email protected]>
gpg> quit
然后再次验证:
gpg --verify accumulo-1.10.2-bin.tar.gz.asc accumulo-1.10.2-bin.tar.gz
gpg: Signature made Tue 08 Feb 2022 11:04:00 PM HKT
gpg: using RSA key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
gpg: Good signature from "Christopher L Tubbs II (Christopher) <[email protected]>" [unknown]
gpg: aka "Christopher L Tubbs II (Developer) <[email protected]>" [unknown]
gpg: aka "Christopher L Tubbs II (Developer) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8CC4 F8A2 B29C 2B04 0F2B 835D 6F0C DAE7 00B6 899D
如何抑制验证apache时的警告信息?
答案1
将信任设置为最终 (5),或签署密钥,即可解决问题(但请参阅下面的警告!)。
选项 1:将信任设置为最终
$ gpg --edit-key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
[...]
gpg> trust
[...]
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
[...]
gpg> quit
请注意,我在信任提示符下输入了 5。现在,当我运行验证命令时:
$ gpg --verify accumulo-1.10.2-bin.tar.gz.asc accumulo-1.10.2-bin.tar.gz
输出中不再有警告。另一方面,当我将信任设置为最终时,我确实撒了谎。
选项 2:签署密钥
由于您最终并不信任该密钥,因此使用您自己的最终受信任的密钥对密钥进行签名更为正确。如果您想先做一些调查,请参阅警告。签署密钥:
$ gpg --sign-key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
[...]
Really sign all user IDs? (y/N) y
[...]
Really sign? (y/N) y
当我运行验证命令时,再次没有警告,这一次我不必撒谎。
警告
请注意,该警告的存在是有充分理由的。如果您想在签署密钥或将其标记为最终受信任之前花更多的精力来尝试确定您是否信任该密钥,这个 security.stackexchange.com 线程是一个很好的起点。