* Signed tags and git repository
@ 2015-11-25 23:19 Stephen & Linda Smith
2015-11-26 3:56 ` Johannes Löthberg
2015-11-26 5:07 ` Stephen & Linda Smith
0 siblings, 2 replies; 3+ messages in thread
From: Stephen & Linda Smith @ 2015-11-25 23:19 UTC (permalink / raw)
To: git
I've been following commits to the linux and git repostitories for some time. I used signed tags for
projects that I'm working on.
I know that the linux and git repositories have signed tags, but I'm not able to verify
them because my key isn't signed by anyone that leads back to one of the git or linux
maintainers. Of course I live in a technical desert since there seems to be no one that I
can find who lives in Phoenix, AZ that has a relationship to one of those two
git repositories.
What have others done when they want their keys signed so they can be part of the
web of trust? Does either of those two projects have a formal way of establishing these
relationships?
sps
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Signed tags and git repository
2015-11-25 23:19 Signed tags and git repository Stephen & Linda Smith
@ 2015-11-26 3:56 ` Johannes Löthberg
2015-11-26 5:07 ` Stephen & Linda Smith
1 sibling, 0 replies; 3+ messages in thread
From: Johannes Löthberg @ 2015-11-26 3:56 UTC (permalink / raw)
To: git; +Cc: Stephen & Linda Smith
[-- Attachment #1: Type: text/plain, Size: 894 bytes --]
On 25/11, Stephen & Linda Smith wrote:
>I know that the linux and git repositories have signed tags, but I'm not able to verify
>them because my key isn't signed by anyone that leads back to one of the git or linux
>maintainers.
Your key would only have to be signed for others to be able to verify
/your/ signatures through the Web of Trust.
You don't even need the Web of Trust though, you can just verify the
signature and then check that the key used to make the signature is the
correct one, then you could either sign the key if you know that the key
belongs to the right person and want to make the signature public, or
make a local signature which is local to your keyring and won't be sent
to eg keyservers. Or just mark the key as trusted overall.
--
Sincerely,
Johannes Löthberg
PGP Key ID: 0x50FB9B273A9D0BB5
https://theos.kyriasis.com/~kyrias/
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1565 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Signed tags and git repository
2015-11-25 23:19 Signed tags and git repository Stephen & Linda Smith
2015-11-26 3:56 ` Johannes Löthberg
@ 2015-11-26 5:07 ` Stephen & Linda Smith
1 sibling, 0 replies; 3+ messages in thread
From: Stephen & Linda Smith @ 2015-11-26 5:07 UTC (permalink / raw)
To: git, Johannes Löthberg
[-- Attachment #1: Type: text/plain, Size: 396 bytes --]
On Thursday, November 26, 2015 04:56:00 AM Johannes Löthberg wrote:
> You don't even need the Web of Trust though, you can just verify the
> signature and then check that the key used to make the signature is the
> correct one,
Ok, but if I don't have a link to the Web or Trust, how do I know that "the
key used to make sure the signature is the correct one" (i.e. trusted).
sps
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-11-26 5:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-25 23:19 Signed tags and git repository Stephen & Linda Smith
2015-11-26 3:56 ` Johannes Löthberg
2015-11-26 5:07 ` Stephen & Linda Smith
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).