GPG warning about signature

rust-lang-deprecated / rustup.sh

The rustup.sh script for installing Rust from release channels

Apache License 2.0

96 stars 24 forks source link

GPG warning about signature #65

Open php-coder opened 8 years ago

php-coder commented 8 years ago

When I'm trying to follow instructions and install Rust I see the error that scares me:

gpg: assuming signed data in '/home/coder/.rustup/dl/be644b01552c9dba7a05/rust-1.11.0-x86_64-unknown-linux-gnu.tar.gz'
gpg: Signature made Tue 16 Aug 2016 01:35:16 PM CEST using RSA key ID 7B3B09DC
gpg: Good signature from "Rust Language (Tag and Release Signing Key) <rust-key@rust-lang.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 108F 6620 5EAE B0AA A8DD  5E1C 85AB 96E6 FA1B E5FE
     Subkey fingerprint: C134 66B7 E169 A085 1886  3216 5CB4 A934 7B3B 09DC

I've canceled my installation because I'm not sure what's inside. Why we have problem with signature and if we can't fix it why we're using it?

steveklabnik commented 8 years ago

Why we have problem with signature and if we can't fix it why we're using it?

Well, we don't, you do. That is, this is from your local copy of gpg saying that it doesn't know that it's trusted.

http://pgp.mit.edu/pks/lookup?op=vindex&search=0x85AB96E6FA1BE5FE

Those are the people who have signed it. If you had signed it yourself, or had one of those people in your web of trust, it wouldn't show the warning.

php-coder commented 8 years ago

Unfortunately, I'm just a user who runs installer and sees this message. From my point of view, installer runs gpg (or something else that calling gpg). Also I have no idea where and how I can fix it.

steveklabnik commented 8 years ago

Unfortunately, I'm just a user who runs installer and sees this message.

Yes, I was trying to explain the background.

Also I have no idea where and how I can fix it.

Well, you'd have to decide if you trust the key or not, and then use gpg to mark it as such. If you did, then it would go away.

Part of this is that it's not something we can do for you; it's up to you to decide to trust the key or not. That's a human question, not a programmer question.

php-coder commented 8 years ago

Ok, thank you anyway!

steveklabnik commented 8 years ago

Thanks for reporting! I do think that it's not great that this shows up, but I'm not sure what to do about it: we don't show it at all, IIRC, if gpg isn't installed, and if it is, well, this is the output it shows. Not sure how this could be improved. @brson any thoughts?

brson commented 8 years ago

The only way I know to fix this is to pipe gpg's output to /dev/null. We might just remove gpg verification from rustup.sh completely since its dependent on the host actually having it, and thus can't be relied on and is subject to downgrade attacks.