Open php-coder opened 8 years ago
Why we have problem with signature and if we can't fix it why we're using it?
Well, we don't, you do. That is, this is from your local copy of gpg
saying that it doesn't know that it's trusted.
http://pgp.mit.edu/pks/lookup?op=vindex&search=0x85AB96E6FA1BE5FE
Those are the people who have signed it. If you had signed it yourself, or had one of those people in your web of trust, it wouldn't show the warning.
Unfortunately, I'm just a user who runs installer and sees this message. From my point of view, installer runs gpg (or something else that calling gpg). Also I have no idea where and how I can fix it.
Unfortunately, I'm just a user who runs installer and sees this message.
Yes, I was trying to explain the background.
Also I have no idea where and how I can fix it.
Well, you'd have to decide if you trust the key or not, and then use gpg
to mark it as such. If you did, then it would go away.
Part of this is that it's not something we can do for you; it's up to you to decide to trust the key or not. That's a human question, not a programmer question.
Ok, thank you anyway!
Thanks for reporting! I do think that it's not great that this shows up, but I'm not sure what to do about it: we don't show it at all, IIRC, if gpg isn't installed, and if it is, well, this is the output it shows. Not sure how this could be improved. @brson any thoughts?
The only way I know to fix this is to pipe gpg's output to /dev/null. We might just remove gpg verification from rustup.sh completely since its dependent on the host actually having it, and thus can't be relied on and is subject to downgrade attacks.
When I'm trying to follow instructions and install Rust I see the error that scares me:
I've canceled my installation because I'm not sure what's inside. Why we have problem with signature and if we can't fix it why we're using it?