Oracle 5.0 Reference Manual page 72

1 new user ID
gpg: key 5072E1F5: "MySQL Release Engineering <mysql-build@oss.oracle.com>"
53 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: new user IDs: 1
gpg: new signatures: 53
If you want to import the key into your RPM configuration to validate RPM install packages, you should
be able to import the key directly:
shell> rpm --import mysql_pubkey.asc
If you experience problems or require RPM specific information, see
Checking Using
RPM".
After you have downloaded and imported the public build key, download your desired MySQL package
and the corresponding signature, which also is available from the download page. The signature file
has the same name as the distribution file with an
following table.
Table 2.1. MySQL Package and Signature Files for Source files
File Type
Distribution file
Signature file
Make sure that both files are stored in the same directory and then run the following command to verify
the signature for the distribution file:
shell> gpg --verify package_name.asc
If the downloaded package is valid, you will see a "Good signature" similar to:
shell> gpg --verify mysql-standard-5.0.96-linux-i686.tar.gz.asc
gpg: Signature made Tue 01 Feb 2011 02:38:30 AM CST using DSA key ID 5072E1F5
gpg: Good signature from "MySQL Release Engineering <mysql-build@oss.oracle.com>"
The
Good signature
signature listed on our site. But you might also see warnings, like so:
shell> gpg --verify mysql-standard-5.0.96-linux-i686.tar.gz.asc
gpg: Signature made Wed 23 Jan 2013 02:25:45 AM PST using DSA key ID 5072E1F5
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: Good signature from "MySQL Release Engineering <mysql-build@oss.oracle.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A4A9 4068 76FC BD3C 4567
That is normal, as they depend on your setup and configuration. Here are explanations for these
warnings:
• gpg: no ultimately trusted keys found: This means that the specific key is not "ultimately trusted" by
you or your web of trust, which is okay for the purposes of verifying file signatures.
• WARNING: This key is not certified with a trusted signature! There is no indication that the signature
belongs to the owner.: This refers to your level of trust in your belief that you possess our real public
key. This is a personal decision. Ideally, a MySQL developer would hand you the key in person,
but more commonly, you downloaded it. Was the download tampered with? Probably not, but this
decision is up to you. Setting up a web of trust is one method for trusting them.
See the GPG documentation for more information on how to work with public keys.
Signature Checking Using
File Name
mysql-standard-5.0.96-linux-i686.tar.gz
mysql-standard-5.0.96-linux-i686.tar.gz.asc
message indicates that the file signature is valid, when compared to the
52
GnuPG
Section 2.6.4, "Signature
extension, as shown by the examples in the
.asc
70C8 8C71 8D3B 5072 E1F5