If you try to verify the signature using
gpg --verify <pkg>.key
you'll get an output like the following:
gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Can't check signature: No public key
The key ID you are looking for is BE216115, so you ask gpg to retrieve it using:
gpg --recv-keys BE216115
Which resulted in the following on my installation:
gpg: requesting key BE216115 from hkp server keys.gnupg.net
gpg: key BE216115: public key "Francesco Potortì <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 6 trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: depth: 2 valid: 6 signed: 1 trust: 0-, 0q, 0n, 6m, 0f, 0u
gpg: Total number processed: 1
gpg: imported: 1
Now, you can verify it. But since you haven't assigned any trust to this key, the output will be:
gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Good signature from "Francesco Potortì <[email protected]>"
gpg: aka "Francesco Potortì <[email protected]>"
gpg: aka "Francesco Potortì <[email protected]>"
gpg: aka "Francesco Potortì <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4B02 6187 5C03 D6B1 2E31 7666 09DF 2DC9 BE21 6115
So, you will know that the signature is valid, but you are not trusting the public key. You can trust or sign the public key using:
gpg --edit-key BE216115
In the command prompt type help to see all the available options. For further information, see Using the GNU Privacy Guard
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
