I’m trying to add enigmail and torbirdy to icedove in whonix and in trying to check torbirdy but the link to Jacob Appelbaum’s OpenPGP key is like from 2012 (which i tried anyway, and it didn’t check out). So I was wondering if anyone else has tried this or has his new key or had this problem?
[code]wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi.asc[/code]
[code]wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi[/code]
[code]gpg --verify torbirdy-current.xpi.asc
gpg: Signature made Mon 04 Nov 2013 11:43:51 AM UTC using RSA key ID 1245F783
gpg: Good signature from "Jacob Appelbaum (offline long term identity key) <jacob@appelbaum.net>" [unknown]
gpg: aka "Jacob Appelbaum (offline long term identity key) <jacob@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 228F AD20 3DE9 AE7D 84E2 5265 CF9A 6F91 4193 A197
Subkey fingerprint: E729 FE2D EE92 DB51 1AC9 FF91 590C 7D91 1245 F783[/code]
Works for me.gpg --verify torbirdy-current.xpi.asc
gpg: Signature made Mon 04 Nov 2013 11:43:51 AM UTC using RSA key ID 1245F783
gpg: Good signature from "Jacob Appelbaum (offline long term identity key) <jacob@appelbaum.net>" [unknown]
gpg: aka "Jacob Appelbaum (offline long term identity key) <jacob@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 228F AD20 3DE9 AE7D 84E2 5265 CF9A 6F91 4193 A197
Subkey fingerprint: E729 FE2D EE92 DB51 1AC9 FF91 590C 7D91 1245 F783
Works for me.
ok, so I have more to learn about pgp, sorry, I am a newb at this. I honestly thought that:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 228F AD20 3DE9 AE7D 84E2 5265 CF9A 6F91 4193 A197
Subkey fingerprint: E729 FE2D EE92 DB51 1AC9 FF91 590C 7D91 1245 F783
was not good and telling me that this was not the real deal. but if all i need to see is “Good signature”, I am now assuming that is the important part, then it was good all along.
thanks.
Understanding that warning is worth it nevertheless.
On Verify the virtual machine images using the command line - Whonix it’s written:
“This doesn’t alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in Whonix signing key and the web of trust (OpenPGP - Kicksecure). To remove this warning you would have to personally sign Whonix signing key with your own key.”
I don’t have a better explanation for this, so I recommend reading a few other explanations attempts on the web.
As an aside: Torbirdy will hopefully be added to the debian repos and then Whonix. A hardened email client is a real necessity.