Forum: help-en
Monitor Forum | 
Start New Thread
| RE: How do I "trust" a key and what is "Change Certification Power"? [ Reply ] By: E B on 2023-07-27 12:15 | [forum:8954] |
|
Well, people handle this differently and it depends on the context and your level of paranoia how you do it. Basically you check if the fingerprint for the public key you downloaded, which is shown in the details of that key in Kleopatra, is the same as the fingerprint of that person's key you get from somewhere else. That somewhere else might e.g. be a business card you got from them at an event. In your case - I guess you do not know the developer of the software - you have to choose a less secure or a more complicated way. The easiest: You can just decide to trust the key and certify it You will then notice in the future if the signature has changed, when you download and verify software from that site again. The concept's name is "Trust on first use" https://en.wikipedia.org/wiki/Trust_on_first_use . Go ahead and read that article if you want to learn more, it also links to the more complicated concept of web of trust. I would check if the fingerprint of the key is given somewhere else than where I got the download, too, and both match with the one Kleopatra shows me, e.g. on the download page and the projects git repository. Certifying a key is easiest done in Kleopatra: just right-click the public key in the certificate list and choose "Certify". In the new window the fingerprint is shown for easy comparison and you have to click "Certify" again. That's it. |
|
| RE: How do I "trust" a key and what is "Change Certification Power"? [ Reply ] By: John Jones on 2023-07-26 10:51 | [forum:8953] |
|
Thanks for the extremely helpful message! :-) > Verify that the owner of that key is who you think it is by comparing the fingerprint via another channel. Please could you explain how to do this in simple terms? |
|
| RE: How do I "trust" a key and what is "Change Certification Power"? [ Reply ] By: E B on 2023-07-25 09:44 | [forum:8952] |
|
The *signature* is valid as gpg tells you "Good signature from ..." but this only means that somebody has correctly signed the software, it does not tell you who signed it, only which key was used. If you want the warning regarding the ownership of that key to go away you need to: Verify that the owner of that key is who you think it is by comparing the fingerprint via another channel. And then in Kleopatra right-click on their public key -> certify to certify that the key belongs to the right person. This has nothing to do with the "certification power" or trust which both are terms used in connection with the web of trust. They relate to if you want to trust their certifications of other keys. You do not need this for verifying your software downloads. |
|
| RE: How do I "trust" a key and what is "Change Certification Power"? [ Reply ] By: John Jones on 2023-07-24 19:27 | [forum:8951] |
|
Just for the record, here is the audit log of one of the files in question which cannot be verified: gpg: Signature made 17 Jun 2023 11.51.51 PM GMT Daylight Time gpg: using RSA key D8F3DA77AAC6741053599C136E4A2D025B7CC9A2 gpg: Good signature from "sledgehammer_999 (Used for signing git commits/tags/etc) <hammered999@gmail.com>" [unknown] gpg: aka "sledgehammer999 (Used for signing qBittorrent source tarballs and binaries v2.) <sledgehammer999@qbittorrent.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D8F3 DA77 AAC6 7410 5359 9C13 6E4A 2D02 5B7C C9A2 I showed this to someone and was told that the key is valid, I just haven't "trusted" his public key. Is that correct? |
|
| How do I "trust" a key and what is "Change Certification Power"? [ Reply ] By: John Jones on 2023-07-24 19:23 | [forum:8950] |
|
I've been trying to use Kleopatra to verify a few installer files I've downloaded for the program qBittorrent. However, the verification kept failing. Someone told me that it's because I haven't "trusted" the software company's public key. So how do I do this? Is the option I'm looking for called "Change Certification Power" (found in the context menu when you right click on a certificate)? And why is there no mention of this feature in the documentation? Here's a screenshot of it: https://i.postimg.cc/cChW1ftj/Kleopatra.png I'm running Kleopatra version Gpg4win-4.2.0 |
|
