Apacheを確認するときに警告メッセージを表示しない方法は?

tag-icon tag-icon gpg verification
Apacheを確認するときに警告メッセージを表示しない方法は?

Apacheを確認すると、「このキーは信頼できる署名で認証されていません」という警告メッセージが表示されます。

wget https://downloads.apache.org/accumulo/1.10.2/accumulo-1.10.2-bin.tar.gz
wget https://downloads.apache.org/accumulo/1.10.2/accumulo-1.10.2-bin.tar.gz.asc 
wget  https://downloads.apache.org/accumulo/KEYS
gpg --import KEYS    
gpg --verify accumulo-1.10.2-bin.tar.gz.asc accumulo-1.10.2-bin.tar.gz

エラーメッセージが表示されます。

gpg: Signature made Tue 08 Feb 2022 11:04:00 PM HKT
gpg:                using RSA key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
gpg: Good signature from "Christopher L Tubbs II (Christopher) <[email protected]>" [unknown]
gpg:                 aka "Christopher L Tubbs II (Developer) <[email protected]>" [unknown]
gpg:                 aka "Christopher L Tubbs II (Developer) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8CC4 F8A2 B29C 2B04 0F2B  835D 6F0C DAE7 00B6 899D

私はそれを完全に信頼したいと思います:

gpg --edit-key   8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/6F0CDAE700B6899D
     created: 2012-10-13  expires: 2024-01-12  usage: SC  
     trust: full          validity: unknown
sub  rsa4096/2FFC0085C23D3DA9
     created: 2012-10-13  expires: 2024-01-12  usage: E   
sub  rsa4096/4417A0C14245D003
     created: 2013-04-28  expires: 2024-01-12  usage: A   
[ unknown] (1). Christopher L Tubbs II (Christopher) <[email protected]>
[ unknown] (2)  Christopher L Tubbs II (Developer) <[email protected]>
[ unknown] (3)  Christopher L Tubbs II (Developer) <[email protected]>

gpg> trust
pub  rsa4096/6F0CDAE700B6899D
     created: 2012-10-13  expires: 2024-01-12  usage: SC  
     trust: full          validity: unknown
sub  rsa4096/2FFC0085C23D3DA9
     created: 2012-10-13  expires: 2024-01-12  usage: E   
sub  rsa4096/4417A0C14245D003
     created: 2013-04-28  expires: 2024-01-12  usage: A   
[ unknown] (1). Christopher L Tubbs II (Christopher) <[email protected]>
[ unknown] (2)  Christopher L Tubbs II (Developer) <[email protected]>
[ unknown] (3)  Christopher L Tubbs II (Developer) <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 4

pub  rsa4096/6F0CDAE700B6899D
     created: 2012-10-13  expires: 2024-01-12  usage: SC  
     trust: full          validity: unknown
sub  rsa4096/2FFC0085C23D3DA9
     created: 2012-10-13  expires: 2024-01-12  usage: E   
sub  rsa4096/4417A0C14245D003
     created: 2013-04-28  expires: 2024-01-12  usage: A   
[ unknown] (1). Christopher L Tubbs II (Christopher) <[email protected]>
[ unknown] (2)  Christopher L Tubbs II (Developer) <[email protected]>
[ unknown] (3)  Christopher L Tubbs II (Developer) <[email protected]>

gpg> quit

その後、もう一度確認してください。

gpg --verify accumulo-1.10.2-bin.tar.gz.asc accumulo-1.10.2-bin.tar.gz  
gpg: Signature made Tue 08 Feb 2022 11:04:00 PM HKT
gpg:                using RSA key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D
gpg: Good signature from "Christopher L Tubbs II (Christopher) <[email protected]>" [unknown]
gpg:                 aka "Christopher L Tubbs II (Developer) <[email protected]>" [unknown]
gpg:                 aka "Christopher L Tubbs II (Developer) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8CC4 F8A2 B29C 2B04 0F2B  835D 6F0C DAE7 00B6 899D

Apacheを確認するときに警告メッセージを表示しない方法は?

答え1

信頼を最終(5)に設定するか、キーに署名すると問題が解決します(しかし、以下の警告を参照してください! )。

オプション1:信頼を最終に設定

$ gpg --edit-key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D

[...]

gpg> trust

[...]

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

[...]

gpg> quit

信頼プロンプトに5と入力しました。ここでverifyコマンドを実行すると、次のようになります。

$ gpg --verify accumulo-1.10.2-bin.tar.gz.asc accumulo-1.10.2-bin.tar.gz

出力に警告がなくなりました。一方、私は信頼を最終的に設定したときに嘘をつきました。

オプション2:署名キー

最終的に鍵を信頼しないので、最終的に信頼できる自分の鍵で鍵に署名する方が正確です。まず調査を実行するには、警告を参照してください。署名キー:

$ gpg --sign-key 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D

[...]

Really sign all user IDs? (y/N) y

[...]

Really sign? (y/N) y

verify コマンドを実行すると警告は表示されず、今回は嘘をつく必要はありません。

警告する

この警告には正当な理由があることに注意してください。鍵に署名したり、最終的に信頼できるとマークする前に、鍵を信頼できるかどうかを確認するためにさらに努力したい場合は、このsecurity.stackexchange.comスレッド良い出発点です。

関連情報