I am new to PGP and am trying to learn. I have been trying to successfully verify a signature for the last six hours or so. I must say that for all the documentation on this site there has been NOTHING of help here to me whatsoever.
I am on a website that is asking me to verify their signature thru a document they've published. Their signature is appended to the end of the document. I have their public key in my keychain. I click "Services/OpenPGP: Verify Signature of File" but that doesn't work. What gives???
Comments are currently closed for this discussion. You can start a new one.
|?||Show this help|
|ESC||Blurs the current field|
|r||Focus the comment reply box|
|^ + ↩||Submit the comment|
You can use
Command ⌘ instead of
Control ^ on Mac
1 Posted by Michael on 11 Jul, 2020 05:29 AM
If the "ownertrust" is set to "unknown," or set to anything OTHER than "Ultimate," when you check the signature GPG Keychain returns "The signature is not to be trusted."
If, however, you change the trust to "Ultimate," it returns a seemingly "favorable" response, saying that the signature is trusted.
All this time I assumed I was doing something wrong while trying to verifying a signature, but I was not. Your app returns a message that is highly confusing to and unclear! While the ownertrust is marked anything but "ultimate," BUT the signature DOES in fact match, it still says "signature should not be trusted." But it now seems to me that "signature should not be trusted" only refers to the "trust level" that I've set for that contact and NOT for the "correctness" of the signature itself. Jeez Louise!!!!!!
Support Staff 2 Posted by Steve on 13 Jul, 2020 06:13 PM
welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.
This KB-article explains how to verify and sign a key and also elaborates on why a signature is untrusted and that that is not necessarily a problem (depending on your use-case and required trust).
All the best,
Steve closed this discussion on 27 Jul, 2020 02:58 PM.