如何在驗證 apache 時抑制警告資訊？

April 12, 2022

警告資訊“此密鑰未經可信簽名認證！” 何時驗證 apache：

wget https://downloads.apache.org/accumulo/1.10.2/accumulo-1.10.2-bin.tar.gz
wget https://downloads.apache.org/accumulo/1.10.2/accumulo-1.10.2-bin.tar.gz.asc 
wget  https://downloads.apache.org/accumulo/KEYS
gpg --import KEYS    
gpg --verify accumulo-1.10.2-bin.tar.gz.asc accumulo-1.10.2-bin.tar.gz

出現錯誤資訊：

gpg: Signature made Tue 08 Feb 2022 11:04:00 PM HKT
gpg:                using RSA key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
gpg: Good signature from "Christopher L Tubbs II (Christopher) &lt;ctubbsii@gmail.com&gt;" [unknown]
gpg:                 aka "Christopher L Tubbs II (Developer) &lt;ctubbsii@apache.org&gt;" [unknown]
gpg:                 aka "Christopher L Tubbs II (Developer) &lt;ctubbsii@fedoraproject.org&gt;" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8CC4 F8A2 B29C 2B04 0F2B  835D 6F0C DAE7 00B6 899D

我想完全相信它：

gpg --edit-key   8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/6F0CDAE700B6899D
    created: 2012-10-13  expires: 2024-01-12  usage: SC  
    trust: full          validity: unknown
sub  rsa4096/2FFC0085C23D3DA9
    created: 2012-10-13  expires: 2024-01-12  usage: E   
sub  rsa4096/4417A0C14245D003
    created: 2013-04-28  expires: 2024-01-12  usage: A   
[ unknown] (1). Christopher L Tubbs II (Christopher) &lt;ctubbsii@gmail.com&gt;
[ unknown] (2)  Christopher L Tubbs II (Developer) &lt;ctubbsii@apache.org&gt;
[ unknown] (3)  Christopher L Tubbs II (Developer) &lt;ctubbsii@fedoraproject.org&gt;

gpg&gt; trust
pub  rsa4096/6F0CDAE700B6899D
    created: 2012-10-13  expires: 2024-01-12  usage: SC  
    trust: full          validity: unknown
sub  rsa4096/2FFC0085C23D3DA9
    created: 2012-10-13  expires: 2024-01-12  usage: E   
sub  rsa4096/4417A0C14245D003
    created: 2013-04-28  expires: 2024-01-12  usage: A   
[ unknown] (1). Christopher L Tubbs II (Christopher) &lt;ctubbsii@gmail.com&gt;
[ unknown] (2)  Christopher L Tubbs II (Developer) &lt;ctubbsii@apache.org&gt;
[ unknown] (3)  Christopher L Tubbs II (Developer) &lt;ctubbsii@fedoraproject.org&gt;

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu

Your decision? 4

pub  rsa4096/6F0CDAE700B6899D
    created: 2012-10-13  expires: 2024-01-12  usage: SC  
    trust: full          validity: unknown
sub  rsa4096/2FFC0085C23D3DA9
    created: 2012-10-13  expires: 2024-01-12  usage: E   
sub  rsa4096/4417A0C14245D003
    created: 2013-04-28  expires: 2024-01-12  usage: A   
[ unknown] (1). Christopher L Tubbs II (Christopher) &lt;ctubbsii@gmail.com&gt;
[ unknown] (2)  Christopher L Tubbs II (Developer) &lt;ctubbsii@apache.org&gt;
[ unknown] (3)  Christopher L Tubbs II (Developer) &lt;ctubbsii@fedoraproject.org&gt;

gpg&gt; quit

然後再次驗證：

gpg --verify accumulo-1.10.2-bin.tar.gz.asc accumulo-1.10.2-bin.tar.gz  
gpg: Signature made Tue 08 Feb 2022 11:04:00 PM HKT
gpg:                using RSA key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
gpg: Good signature from "Christopher L Tubbs II (Christopher) &lt;ctubbsii@gmail.com&gt;" [unknown]
gpg:                 aka "Christopher L Tubbs II (Developer) &lt;ctubbsii@apache.org&gt;" [unknown]
gpg:                 aka "Christopher L Tubbs II (Developer) &lt;ctubbsii@fedoraproject.org&gt;" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8CC4 F8A2 B29C 2B04 0F2B  835D 6F0C DAE7 00B6 899D

如何在驗證 apache 時抑制警告資訊？

將信任設置為最終 (5)，或簽署密鑰，都可以解決問題（但請參閱下面的警告！）。
選項1：將信任設置為最終
$ gpg --edit-key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D

[...]

gpg&gt; trust

[...]

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

[...]

gpg&gt; quit
請注意，我在信任提示符處輸入了 5。現在當我執行驗證命令時：
$ gpg --verify accumulo-1.10.2-bin.tar.gz.asc accumulo-1.10.2-bin.tar.gz
輸出中不再有警告。另一方面，當我將信任設置為最終時，我確實撒了謊。
選項 2：簽署密鑰
由於您最終不信任密鑰，因此使用您自己的最終受信任的密鑰簽署密鑰更為正確。如果您想先做一些勤奮，請參閱警告。要簽署密鑰：
$ gpg --sign-key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D

[...]

Really sign all user IDs? (y/N) y

[...]

Really sign? (y/N) y
當我執行驗證命令時再次沒有警告，這一次我不必說謊。
警告
請注意，警告是有充分理由的。如果您想在簽名或將其標記為最終受信任之前嘗試確定您是否確實信任密鑰，那麼這個 security.stackexchange.com 執行緒是一個很好的起點。

引用自：https://unix.stackexchange.com/questions/698565

如何在驗證 apache 時抑制警告資訊？

選項1：將信任設置為最終

選項 2：簽署密鑰

警告

相關問答

如何驗證 https://files.devuan.org/devuan-devs.gpg

如何使用 gpg 驗證 debian cds？

apt-get update：如何在使用腳本時檢查 GPG 錯誤？

使用 Inotifywait 同時處理多個文件

bashrc 與 bash_profile 的功能有何不同？

如何在不傳輸 GPG 私鑰的情況下從另一台電腦的“pass”訪問我的密碼？