Results 1 to 4 of 4

Thread: key is not certified with a trusted signature!

  1. #1
    Join Date
    2015-Aug
    Posts
    2

    key is not certified with a trusted signature!

    My apologies if this is a double post. I tried to post it once before and it appears to never have made it, or maybe it's awaiting approval since it's my first post.

    I searched the forum via google for my problem and found two threads, neither of which gave a solution, so....

    I downloaded kali-linux-2.0-amd64.iso from https://www.kali.org/downloads/
    I then downloaded SHA1SUMS and SHA1SUMS.gpg from http://cdimage.kali.org/kali-2.0/

    Running as user I ran
    Code:
    wget -q -O - https://www.kali.org/archive-key.asc | gpg --import
    and got
    Code:
    gpg: key 7D8D0BF6: "Kali Linux Repository <devel@kali.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    (I'd run it already once before)

    Then I ran
    Code:
    gpg --verify SHA1SUMS.gpg SHA1SUMS
    and got this
    Code:
    gpg: Signature made Tue 11 Aug 2015 09:35:26 AM EDT using RSA key ID 7D8D0BF6
    gpg: Good signature from "Kali Linux Repository <devel@kali.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6
    Is the uncertified signature warning a known bug, or something I need to be concerned about?

    Thanks

  2. #2
    Join Date
    2015-Aug
    Posts
    13
    Quote Originally Posted by rovernut View Post
    My apologies if this is a double post. I tried to post it once before and it appears to never have made it, or maybe it's awaiting approval since it's my first post.

    I searched the forum via google for my problem and found two threads, neither of which gave a solution, so....

    I downloaded kali-linux-2.0-amd64.iso from https://www.kali.org/downloads/
    I then downloaded SHA1SUMS and SHA1SUMS.gpg from http://cdimage.kali.org/kali-2.0/

    Running as user I ran
    Code:
    wget -q -O - https://www.kali.org/archive-key.asc | gpg --import
    and got
    Code:
    gpg: key 7D8D0BF6: "Kali Linux Repository <devel@kali.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    (I'd run it already once before)

    Then I ran
    Code:
    gpg --verify SHA1SUMS.gpg SHA1SUMS
    and got this
    Code:
    gpg: Signature made Tue 11 Aug 2015 09:35:26 AM EDT using RSyA key ID 7D8D0BF6
    gpg: Good signature from "Kali Linux Repository <devel@kali.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6
    Is the uncertified signature warning a known bug, or something I need to be concerned about?

    Thanks
    Same issue tried a number of loaders and various versions of kali linux from this site. Help please. Trying to load from a live usb

  3. #3
    Join Date
    2015-Aug
    Posts
    2

    Solved

    I don't know why google didn't pick up more threads, but when I went to the "Search Kali Linux" page it found others with This key is not certified with a trusted signature! in them.
    One of them had the answer. Here's the relevant snippet.
    Quote Originally Posted by pplsec View Post
    the 3rd line appears because you haven't got the public key from the signer but we now that it is the signer by matching the fingerprint to the one on kali's site if you wanted to you can email the key owner and get the public key from him and import it in by emailing him at devel@kali.org but it's always better to get keys in person....
    So I did a "cat SHA1SUMS" and compared the hash for kali-linux-2.0-amd64.iso to the one on this page https://www.kali.org/downloads/

    They match, so I'm good to go.

  4. #4
    I am very wet behind the ears when it comes to pen testing and open source in general but it seemed to me if I abide by the principle of "assume NOTHING" I'll probably eventually understand it all.

    In that spirit I have experienced the same problem trying to verify the kali 2.0 torrent I downloaded and I couldn't help but notice there is one extra white space character in the fingerprint between 0875 and F758 than is indicated at the official kali download page (https://www.kali.org/downloads/).

    99% of me says that is not meaningful but I know very little and assume nothing - can someone clarify for me?

Similar Threads

  1. GPG Signature not Verified
    By Jcuervo947 in forum Installing Archive
    Replies: 0
    Last Post: 2018-01-04, 16:33
  2. "This key is not cettified with a trusted signature!"
    By AmericanPi in forum Installing Archive
    Replies: 1
    Last Post: 2016-12-23, 21:32

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •