Not really an issue with cpan per se, but with public/private keys in general. You probably should read up on public/private key encryption and signing, specifically with GnuPG (gpg) or PGP (from where gpg has cloned everything). And then these messages would make sense in that context.
Importing a key. That just means that now your local gpg will know about the new key. Unlike SSL where there are allegedly central authorities who can authenticate "trusted" keys (though, in reality, they merely authenticate that the key belongs to someone who paid them, not quite the same level of confidence that we ascribe to them), gpg has no central authority, instead relying on a hierarchical model whereby you validate the keys yourself and tell gpg whether you trust them or not, and, if so, how much. For example, you trust yourself completely (though I know people that this assumption wouldn't hold true for). You can trust that 450f89ec is PAUSE (or not - the default). But you can also decide if you trust PAUSE to be correct about who THEY confirm, to give you basically something akin to confidence levels in keys that you haven't personally vouched for.
Then we get to your new warning. Since you haven't personally authenticated the PAUSE key, nor has anyone you trusted signed the key (since you probably haven't told gpg to trust anyone), it's merely telling you that the signed data, though it matches the signature it knows about, isn't necessarily authentic. That is, it definitely belongs to whoever it claims to belong to, but we don't really know if who it claims to belong to is really who they claim they are. For example, I could create a key that says, just to randomly pick letters out of the air, "Tye McQueen", and you could prove that something I wrote and signed as this mythical person was actually written by me (since I hold the private key), but that doesn't authenticate that I actually am "Tye McQueen". Now, if you knew this "Tye McQueen" person, you could call them up and read the fingerprint to them, and they could confirm that it's not their key, and you could then reject the public key that I had created. On the other hand, if I really were "Tye McQueen" and you called me up, I could verify the fingerprint and you'd be able to tell gpg that the fingerprint is good, and it would stop complaining about the signature, and instead validate that text signed by me really is by me.
Does that help?
In reply to Re: cpan upgrade - "key is not certified with a trusted signature." Concern?
by Tanktalus
in thread cpan upgrade - "key is not certified with a trusted signature." Concern?
by locked_user sundialsvc4
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |