in reply to cpan upgrade - "key is not certified with a trusted signature." Concern?

Not really an issue with cpan per se, but with public/private keys in general. You probably should read up on public/private key encryption and signing, specifically with GnuPG (gpg) or PGP (from where gpg has cloned everything). And then these messages would make sense in that context.

Importing a key. That just means that now your local gpg will know about the new key. Unlike SSL where there are allegedly central authorities who can authenticate "trusted" keys (though, in reality, they merely authenticate that the key belongs to someone who paid them, not quite the same level of confidence that we ascribe to them), gpg has no central authority, instead relying on a hierarchical model whereby you validate the keys yourself and tell gpg whether you trust them or not, and, if so, how much. For example, you trust yourself completely (though I know people that this assumption wouldn't hold true for). You can trust that 450f89ec is PAUSE (or not - the default). But you can also decide if you trust PAUSE to be correct about who THEY confirm, to give you basically something akin to confidence levels in keys that you haven't personally vouched for.

Then we get to your new warning. Since you haven't personally authenticated the PAUSE key, nor has anyone you trusted signed the key (since you probably haven't told gpg to trust anyone), it's merely telling you that the signed data, though it matches the signature it knows about, isn't necessarily authentic. That is, it definitely belongs to whoever it claims to belong to, but we don't really know if who it claims to belong to is really who they claim they are. For example, I could create a key that says, just to randomly pick letters out of the air, "Tye McQueen", and you could prove that something I wrote and signed as this mythical person was actually written by me (since I hold the private key), but that doesn't authenticate that I actually am "Tye McQueen". Now, if you knew this "Tye McQueen" person, you could call them up and read the fingerprint to them, and they could confirm that it's not their key, and you could then reject the public key that I had created. On the other hand, if I really were "Tye McQueen" and you called me up, I could verify the fingerprint and you'd be able to tell gpg that the fingerprint is good, and it would stop complaining about the signature, and instead validate that text signed by me really is by me.

Does that help?

  • Comment on Re: cpan upgrade - "key is not certified with a trusted signature." Concern?

Replies are listed 'Best First'.
Re^2: cpan upgrade - "key is not certified with a trusted signature." Concern?
by locked_user sundialsvc4 (Abbot) on Mar 02, 2009 at 22:45 UTC

    Oh, I do understand the technical reason for the message! What I don't know is whether-or-not it is “okay.” I don't want to inform GPG that “I accept the key” if it's not a key that I ought to accept. Since I did not expect to see this message in the first place, I don't know what's the right action to take now.

      Well, based on the above, I'd say it depends. Do you trust that this is the correct PAUSE key? If not, don't sign it. If so, sign it. What may help is to look at the key and see who else has signed it. Of course, that depends on you trusting that those others really did sign it, and it wasn't merely signed by some guy pretending to by merlyn or TimToady or whatever.

      Personally, without finding a method to validate the fingerprint against a site that I do trust, I wouldn't sign it. And that's partly because, let's be honest here, you're no worse off than you were before this whole signing thing started. You trusted that CPAN authors weren't trying to hose your system by faking some code that looks like it's doing something useful, but actually is opening a hole in your security. And, with signing, all that does is prove that the person holding the private key (whoever that is) actually wrote that hole in your security. It has not increased your security significantly. But it does prevent tampering - if you get a patched module, the signature won't match anymore, and you'll know it, whether you trust the signature or not. Well, as long as you continue to read the warnings/run the tests. And I doubt that PAUSE is signing the modules (other than CPAN) anyway, so you'd actually still get the unknown warnings from new modules.

[reply]

        How do I go about accepting that key?

In Section Seekers of Perl Wisdom