Versions Compared

Old Version 11

changes.mady.by.user Nazeer Shaik

Saved on

compared with

New Version 12

changes.mady.by.user Nazeer Shaik

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
% gpg --verify apache-fineract-0.5.0-incubating-src.tar.gz.asc apache-fineract-0.5.0-incubating-src.tar.gz  
gpg: Signature made 12/07/16 16:33:37 India Standard Time using RSA key ID 0BB29444
gpg: Good signature from "Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer1100126@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AF4F D65D E78C A5B1 BF30  939F 80C4 D889 0BB2 9444

At this point, the signature is good, but we don't trust this key. A good signature means that the file has not been tampered. However, due to the nature of public key cryptography, you need to additionally verify that key 0BB29444 was created by the real Shaik Nazeer Hussain.

Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key.