Teemu Likonen <tlikonen@iki.fi> writes: > Tomas Nordin [2020-03-21T15:37:36+01] wrote: > >> This is probably a dumb question and not really an issue for Notmuch. > > Excellent questions but partly difficult to answer. > >> But it is when using notmuch (through emacs) I get this Gnome pop-up. >> See attached image. Some senders are attaching some sort of signature >> that I get to trust or cancel. > > The sender's mail client has used gpgsm or similar program to digitally > sign the message content. The sender's key that made the message > signature has been certified by some certificate authority. And you are > asked if you trust this certificate authority to certify other's keys. > >> What does people do in this case, I tend to cancel it. How should I >> relate to the question. How do I know if I could ultimately trust >> something as asked. > > That is the difficult part. The right answer is probably that user > should carefully check the certificate authority's key fingerprint, > compare it to the fingerprint that the authority has published somewhere > else, study the certificate authority's reputation in certifying > people's keys, or something like that. > > And almost nobody does that because it's too difficult. > > I do this: I press "Yes" (to trust "ultimately") but then immediately go > edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of > that certificate authority's key fingerprint. It marks that key > untrusted (because I really don't know). Then: "gpgconf --reload > gpg-agent". OK, thanks. That already feels better, knowing I can revert this trust easily like that. And some better understanding for whats going on. Best regards -- Tomas _______________________________________________ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch