GPG warning about signature about rustup.sh HOT 6 OPEN

Why we have problem with signature and if we can't fix it why we're using it?

Well, we don't, you do. That is, this is from your local copy of gpg saying that it doesn't know that it's trusted.

http://pgp.mit.edu/pks/lookup?op=vindex&search=0x85AB96E6FA1BE5FE

Those are the people who have signed it. If you had signed it yourself, or had one of those people in your web of trust, it wouldn't show the warning.

from rustup.sh.

Unfortunately, I'm just a user who runs installer and sees this message. From my point of view, installer runs gpg (or something else that calling gpg). Also I have no idea where and how I can fix it.

from rustup.sh.

Unfortunately, I'm just a user who runs installer and sees this message.

Yes, I was trying to explain the background.

Also I have no idea where and how I can fix it.

Well, you'd have to decide if you trust the key or not, and then use gpg to mark it as such. If you did, then it would go away.

Part of this is that it's not something we can do for you; it's up to you to decide to trust the key or not. That's a human question, not a programmer question.

from rustup.sh.

Ok, thank you anyway!

from rustup.sh.

Thanks for reporting! I do think that it's not great that this shows up, but I'm not sure what to do about it: we don't show it at all, IIRC, if gpg isn't installed, and if it is, well, this is the output it shows. Not sure how this could be improved. @brson any thoughts?

from rustup.sh.

The only way I know to fix this is to pipe gpg's output to /dev/null. We might just remove gpg verification from rustup.sh completely since its dependent on the host actually having it, and thus can't be relied on and is subject to downgrade attacks.

from rustup.sh.