Search code examples
ruby-on-railsrubyruby-on-rails-3rvmgnupg

rvm installation gpg key warning

To install rvm, I use the command provided on the rvm website (https://rvm.io/rvm/install) to install stable versions of rvm:

\curl -sSL https://get.rvm.io | bash -s stable --ruby

I am a little concerned about the warning I get from gpg: "There is no indication that the signature belongs to the owner." Is this gpg just being a bit too picky? The primary key fingerprint (409B 6B17 96C2 7546 2A17 0311 3804 BB82 D39D C0E3) matches Michal Papis so that is re-assuring.

But then why does gpg warn that "This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner"? This reminds me of Certificate Authorities (CAs) and not paying a CA, but doesn't gpg work differently?

Output during installation:

Downloading https://github.com/rvm/rvm/archive/1.26.11.tar.gz
Downloading https://github.com/rvm/rvm/releases/download/1.26.11/1.26.11.tar.gz.asc
gpg: Signature made Mon Mar 30 14:52:13 2015 PDT using RSA key ID BF04FF17
gpg: Good signature from "Michal Papis (RVM signing) <mpapis@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 409B 6B17 96C2 7546 2A17  0311 3804 BB82 D39D C0E3
Subkey fingerprint: 62C9 E5F4 DA30 0D94 AC36  166B E206 C29F BF04 FF17
GPG verified '/Users/MyHome/.rvm/archives/rvm-1.26.11.tgz'
Solution

  • GnuPG does more than verifying a hash sum, it can also help you at verifying who issued a signature.

    This line tells you, that the signature is valid (file is untampered) and was made using a certain key.

    gpg: Good signature from "Michal Papis (RVM signing) <mpapis@gmail.com>"

    Simply having a key locally does not help you at deciding whom it really belongs to:

    gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 409B 6B17 96C2 7546 2A17  0311 3804 BB82 D39D C0E3

    GnuPG requires a trust path from a key owned by you to the key you want to validate, similarly to the chain of trust for X.509 (as used in HTTPS ...).

    A basic approach to verifying the key manually would be comparing its fingerprint against the one provided on the TLS-secured download page (https://rvm.io/rvm/install), which hopefully are equal (don't care whether there are spaces or not in-between, that's just for readability). This way, you'll have to trust the web page, but not care for the rather complex OpenPGP trust idea. Using the OpenPGP web of trust to validate key ownership, you can probably be more certain of the issuer, you have to decide on your own how much effort you put into the validation.