Description:
The documentation on http://dev.mysql.com/doc/refman/5.6/en/checking-gpg-signature.html tells the user to download/import the public GnuPG key, but doesn't explain how to trust the public key.
This results in a warning, which is not in the documentation.
# gpg --verify mysql-5.6.9-rc-linux-glibc2.5-x86_64.tar.gz.sig mysql-5.6.9-rc-linux-glibc2.5-x86_64.tar.gz
gpg: Signature made Mon 03 Dec 2012 11:02:30 PM CET using DSA key ID 5072E1F5
gpg: Good signature from "MySQL Release Engineering <mysql-build@oss.oracle.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A4A9 4068 76FC BD3C 4567 70C8 8C71 8D3B 5072 E1F5
# ls -l mysql-5.6.9-rc-linux-glibc2.5-x86_64.tar.gz*
-rw-r--r-- 1 root root 302898174 Dec 3 18:53 mysql-5.6.9-rc-linux-glibc2.5-x86_64.tar.gz
-rw-r--r-- 1 root root 185 Jan 21 14:35 mysql-5.6.9-rc-linux-glibc2.5-x86_64.tar.gz.sig
# gpg --list-keys "MySQL Release Engineering <mysql-build@oss.oracle.com>"
pub 1024D/5072E1F5 2003-02-03 [expires: 2013-09-18]
uid MySQL Release Engineering <mysql-build@oss.oracle.com>
sub 2048g/6D9876B8 2003-02-03 [expires: 2013-09-18]
How to repeat:
Follow the documentation.
Suggested fix:
Add to the documenation:
1. Run gpg --edit-key "<key identifier>"
2. Run "trust" command
3. Select 5 (Ultimate)
4. Run "save"
# gpg --edit-key "MySQL Release Engineering <mysql-build@oss.oracle.com>"
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024D/5072E1F5 created: 2003-02-03 expires: 2013-09-18 usage: SCA
trust: unknown validity: unknown
sub 2048g/6D9876B8 created: 2003-02-03 expires: 2013-09-18 usage: E
[ unknown] (1). MySQL Release Engineering <mysql-build@oss.oracle.com>
[ revoked] (2) MySQL Package signing key (www.mysql.com) <build@mysql.com>
gpg> trust
pub 1024D/5072E1F5 created: 2003-02-03 expires: 2013-09-18 usage: SCA
trust: unknown validity: unknown
sub 2048g/6D9876B8 created: 2003-02-03 expires: 2013-09-18 usage: E
[ unknown] (1). MySQL Release Engineering <mysql-build@oss.oracle.com>
[ revoked] (2) MySQL Package signing key (www.mysql.com) <build@mysql.com>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 1024D/5072E1F5 created: 2003-02-03 expires: 2013-09-18 usage: SCA
trust: ultimate validity: unknown
sub 2048g/6D9876B8 created: 2003-02-03 expires: 2013-09-18 usage: E
[ unknown] (1). MySQL Release Engineering <mysql-build@oss.oracle.com>
[ revoked] (2) MySQL Package signing key (www.mysql.com) <build@mysql.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> save
Key not changed so no update needed.
root@server4:~# gpg --verify mysql-5.6.9-rc-linux-glibc2.5-x86_64.tar.gz.sig mysql-5.6.9-rc-linux-glibc2.5-x86_64.tar.gz
gpg: Signature made Mon 03 Dec 2012 11:02:30 PM CET using DSA key ID 5072E1F5
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2013-09-18
gpg: Good signature from "MySQL Release Engineering <mysql-build@oss.oracle.com>"
