caltrop:/usr/src/new# ls -l total 33212 -rw-r--r-- 1 root src 33963814 Jun 10 14:29 linux-2.4.20.tar.gz -rw-r--r-- 1 root src 248 Jun 10 14:29 linux-2.4.20.tar.gz.sign ########################################################################### NOTE: I "get" the key but DO NOT sign it or enable a trust level for it. ########################################################################### dugan@caltrop:/usr/src/new$ gpg --keyserver pgp.mit.edu --recv-key 517D0F0E gpg: requesting key 517D0F0E from pgp.mit.edu ... gpg: key 517D0F0E: public key imported gpg: /home/dugan/.gnupg/trustdb.gpg: trustdb created gpg: sig 517D0F0E.59: duplicated certificate - deleted gpg: sig 517D0F0E.59: duplicated certificate - deleted gpg: sig 517D0F0E.59: duplicated certificate - deleted gpg: sig 517D0F0E.59: duplicated certificate - deleted gpg: Total number processed: 1 gpg: imported: 1 ########################################################################### Now try to verify the key (see if there is a vald trust path through my web of trust:) ########################################################################### dugan@caltrop:/usr/src/new$ gpg --verify linux-2.4.20.tar.gz.sign gpg: Signature made Thu Nov 28 15:57:27 2002 PST using DSA key ID 517D0F0E gpg: Good signature from "Linux Kernel Archives Verification Key " Could not find a valid trust path to the key. Let's see whether we can assign some missing owner trust values. No path leading to one of our keys found. gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: C75D C40A 11D7 AF88 9981 ED5B C86B A06A 517D 0F0E ########################################################################### There is no valid path. All I can see is that the file gpg sig matches the published files with the published key, but my gpg web of trust does not "trust" this key. Going to continue with demo anyway... ###########################################################################