rustup.sh icon indicating copy to clipboard operation
rustup.sh copied to clipboard
verified publisher icon rust-lang-deprecated

GPG warning about signature

Open php-coder opened this issue 9 years ago • 6 comments

When I'm trying to follow instructions and install Rust I see the error that scares me:

gpg: assuming signed data in '/home/coder/.rustup/dl/be644b01552c9dba7a05/rust-1.11.0-x86_64-unknown-linux-gnu.tar.gz'
gpg: Signature made Tue 16 Aug 2016 01:35:16 PM CEST using RSA key ID 7B3B09DC
gpg: Good signature from "Rust Language (Tag and Release Signing Key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 108F 6620 5EAE B0AA A8DD  5E1C 85AB 96E6 FA1B E5FE
     Subkey fingerprint: C134 66B7 E169 A085 1886  3216 5CB4 A934 7B3B 09DC

I've canceled my installation because I'm not sure what's inside. Why we have problem with signature and if we can't fix it why we're using it?

php-coder avatar Aug 24 '16 17:08 php-coder

Why we have problem with signature and if we can't fix it why we're using it?

Well, we don't, you do. That is, this is from your local copy of gpg saying that it doesn't know that it's trusted.

http://pgp.mit.edu/pks/lookup?op=vindex&search=0x85AB96E6FA1BE5FE

Those are the people who have signed it. If you had signed it yourself, or had one of those people in your web of trust, it wouldn't show the warning.

steveklabnik avatar Aug 24 '16 20:08 steveklabnik

Unfortunately, I'm just a user who runs installer and sees this message. From my point of view, installer runs gpg (or something else that calling gpg). Also I have no idea where and how I can fix it.

php-coder avatar Aug 24 '16 21:08 php-coder

Unfortunately, I'm just a user who runs installer and sees this message.

Yes, I was trying to explain the background.

Also I have no idea where and how I can fix it.

Well, you'd have to decide if you trust the key or not, and then use gpg to mark it as such. If you did, then it would go away.

Part of this is that it's not something we can do for you; it's up to you to decide to trust the key or not. That's a human question, not a programmer question.

steveklabnik avatar Aug 24 '16 22:08 steveklabnik

Ok, thank you anyway!

php-coder avatar Aug 24 '16 22:08 php-coder

Thanks for reporting! I do think that it's not great that this shows up, but I'm not sure what to do about it: we don't show it at all, IIRC, if gpg isn't installed, and if it is, well, this is the output it shows. Not sure how this could be improved. @brson any thoughts?

steveklabnik avatar Aug 24 '16 22:08 steveklabnik

The only way I know to fix this is to pipe gpg's output to /dev/null. We might just remove gpg verification from rustup.sh completely since its dependent on the host actually having it, and thus can't be relied on and is subject to downgrade attacks.

brson avatar Aug 29 '16 18:08 brson