PGP Utility?

[Bob Perry]

Kris Kennaway wrote:

>On Wed, Mar 17, 2004 at 01:13:47AM -0500, Bob Perry wrote:
>
>  
>
>>I installed gnupg-1.2.4_1, The GNU Privacy Guard, & read over the README
>>and HOWTOs.  Ran into a problem re "...unsafe ownership of the main
>>configuration file...."  Searched the mailing list archives with little 
>>luck
>>but, more importantly, the users' mailing list was unavailable.
>>    
>>
>
>Well, what is the ownership?  gnupg probably expects it to be owned by
>the user and not to be world- or group- writable, and maybe not to be
>readable either.  i.e. the permissions on the file should be secure.
>
>  
>
>>My objective was to just install a security patch.  Is the file 
>>verification
>>step really necessary?
>>    
>>
>
>That all depends on whether or not you have a trojaned copy of the
>security patch :-)
>
>Kris
>  
>
Kris,

Thanks for responding.  I had installed the GPA graphical interface and 
it was
having a bad hair day or something.  I resolved my initial problem by
deinstalling/reinstalling the gnugp port and using the command line to set
the program up.

I'm at the stage now, where I need to validate and certify the Security 
Officer's 
PGP key before I can verify the signature. Documentation suggests 
"...comparing
the key during a phone call."   Later, there is the reality that "If you 
don't know the
owner of the public key you are really in trouble."

Is there some recommended course to follow when it comes to handling these
FreeBSD security patches?

Thanks,

Bob




-- 
I've learned that whatever hits the fan will not be evenly
distributed.

FreeBSD 4.9-RELEASE-p2 #0