Reputation: 433
rvm installation gpg key warning
To install rvm, I use the command provided on the rvm website (https://rvm.io/rvm/install) to install stable versions of rvm:
\curl -sSL https://get.rvm.io | bash -s stable --ruby
I am a little concerned about the warning I get from gpg: "There is no indication that the signature belongs to the owner." Is this gpg just being a bit too picky? The primary key fingerprint (409B 6B17 96C2 7546 2A17 0311 3804 BB82 D39D C0E3) matches Michal Papis so that is re-assuring.
But then why does gpg warn that "This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner"? This reminds me of Certificate Authorities (CAs) and not paying a CA, but doesn't gpg work differently?
Output during installation:
Downloading https://github.com/rvm/rvm/archive/1.26.11.tar.gz
Downloading https://github.com/rvm/rvm/releases/download/1.26.11/1.26.11.tar.gz.asc
gpg: Signature made Mon Mar 30 14:52:13 2015 PDT using RSA key ID BF04FF17
gpg: Good signature from "Michal Papis (RVM signing) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 409B 6B17 96C2 7546 2A17 0311 3804 BB82 D39D C0E3
Subkey fingerprint: 62C9 E5F4 DA30 0D94 AC36 166B E206 C29F BF04 FF17
GPG verified '/Users/MyHome/.rvm/archives/rvm-1.26.11.tgz'
Upvotes: 2
Views: 1685
Answers (2)
Reputation: 38732
GnuPG does more than verifying a hash sum, it can also help you at verifying who issued a signature.
This line tells you, that the signature is valid (file is untampered) and was made using a certain key.
gpg: Good signature from "Michal Papis (RVM signing) <[email protected]>"
Simply having a key locally does not help you at deciding whom it really belongs to:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 409B 6B17 96C2 7546 2A17 0311 3804 BB82 D39D C0E3
GnuPG requires a trust path from a key owned by you to the key you want to validate, similarly to the chain of trust for X.509 (as used in HTTPS ...).
A basic approach to verifying the key manually would be comparing its fingerprint against the one provided on the TLS-secured download page (https://rvm.io/rvm/install), which hopefully are equal (don't care whether there are spaces or not in-between, that's just for readability). This way, you'll have to trust the web page, but not care for the rather complex OpenPGP trust idea. Using the OpenPGP web of trust to validate key ownership, you can probably be more certain of the issuer, you have to decide on your own how much effort you put into the validation.
Upvotes: 2
Reputation: 26972
It's fine. I don't think you actually need to use SSL anyway but if you do so as per the instructions on the rvm page, make sure you add the key first.
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
\curl -sSL https://get.rvm.io | bash -s stable
Upvotes: 1
Related Questions
- How to resolve "gpg: command not found" error during RVM installation?
- Problem installing rubys with rvm because of missing public key
- Can't install Ruby rvm on Ubuntu 16.04 due to gpg bug
- Gpg key server showing 'gpg: keyserver receive failed: No dirmngr' while installing rvm
- RVM warning on install?
- Key issue with installing RVM (Ruby Version Manager)
- Issue installing Rails
- RVM Installation
- Ruby gems installation error
- Why am I getting warnings when I'm trying to install RVM?