GNU bug report logs -
#22276
Instructions to verify tarball signature are insufficient
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 22276 in the body.
You can then email your comments to 22276 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#22276; Package
guix.
(Thu, 31 Dec 2015 02:21:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
carl hansen <carlhansen1234 <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Thu, 31 Dec 2015 02:21:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Manual says:
- "Download the binary tarball from ‘ftp://....’2
<http://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#FOOT2>
,Footnotes(2)
<http://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#DOCF2>
"As usual, make sure to download the associated .sig file and to verify the
authenticity of the tarball against it!"
For those who know what you mean by that, the footnote is superfluous, for
those who don't know, it is opaque. I do the usual investigation, come up
with
gpg --verify guix-binary-0.9.0.x86_64-linux.tar.xz.sig
gpg: armor header: Version: GnuPG v2
gpg: assuming signed data in `guix-binary-0.9.0.x86_64-linux.tar.xz'
gpg: Signature made Wed 04 Nov 2015 10:23:38 AM PST using RSA key ID
3D9AEBB5
gpg: Can't check signature: public key not found
after reading the gpg man page, with its multivarous options. So now I need
"gpg --import *.asc" is how you import it into the public keyring
But now I have to find the .asc file...
**UNIX, world's largest Adventure game** as we used to say 30 years ago.
Is there some reason the actual command line to verify the sig cannot be
put into the manual?
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#22276; Package
guix.
(Sat, 02 Jan 2016 01:41:04 GMT)
Full text and
rfc822 format available.
Message #8 received at 22276 <at> debbugs.gnu.org (full text, mbox):
Hi,
I’ve amended that section of the manual based on text from the
announcement (see
<https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
Step 1 becomes:
--8<---------------cut here---------------start------------->8---
1. Download the binary tarball from
‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
running the kernel Linux, and so on.
Make sure to download the associated ‘.sig’ file and to verify the
authenticity of the tarball against it, along these lines:
$ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
$ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
If that command fails because you don’t have the required public
key, then run this command to import it:
$ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
and rerun the ‘gpg --verify’ command.
--8<---------------cut here---------------end--------------->8---
Thanks for your feedback!
Ludo’.
bug closed, send any further explanations to
22276 <at> debbugs.gnu.org and carl hansen <carlhansen1234 <at> gmail.com>
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org.
(Sat, 02 Jan 2016 01:41:04 GMT)
Full text and
rfc822 format available.
Changed bug title to 'Instructions to verify tarball signature are insufficient' from '.sig'
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org.
(Sat, 02 Jan 2016 01:41:05 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22276; Package
guix.
(Sun, 03 Jan 2016 09:21:01 GMT)
Full text and
rfc822 format available.
Message #15 received at 22276 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
> I’ve amended that section of the manual based on text from the
> announcement (see
> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
> Step 1 becomes:
>
>
> 1. Download the binary tarball from
> ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
> where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
> running the kernel Linux, and so on.
>
> Make sure to download the associated ‘.sig’ file and to verify the
> authenticity of the tarball against it, along these lines:
>
> $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
> $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>
> If that command fails because you don’t have the required public
> key, then run this command to import it:
>
> $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
Hm, apparently it is some key, but what key? where did it come from? is
it from gnu.org or what? maybe it is for "keys.gnupg.net" server? OK, I
should read gpg manual to find it out… but I won't». And then I will
not check the signature because I trust the tarball from "gnu.org" but I
don't trust a thing that I don't understand. (I talk only for myself,
I think other people are more conscious users)
I think it will be also good to explain what "3D9AEBB5" means.
--
Alex
Information forwarded
to
bug-guix <at> gnu.org:
bug#22276; Package
guix.
(Sun, 03 Jan 2016 11:12:01 GMT)
Full text and
rfc822 format available.
Message #18 received at 22276 <at> debbugs.gnu.org (full text, mbox):
Alex Kost <alezost <at> gmail.com> skribis:
> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>
>> I’ve amended that section of the manual based on text from the
>> announcement (see
>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>> Step 1 becomes:
>>
>>
>> 1. Download the binary tarball from
>> ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>> where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>> running the kernel Linux, and so on.
>>
>> Make sure to download the associated ‘.sig’ file and to verify the
>> authenticity of the tarball against it, along these lines:
>>
>> $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>> $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>
>> If that command fails because you don’t have the required public
>> key, then run this command to import it:
>>
>> $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>
> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
I would expect that the command together with the previous sentence
suggest that 3D9AEBB5 identifies the key used to sign the package, no?
> Hm, apparently it is some key, but what key? where did it come from? is
> it from gnu.org or what? maybe it is for "keys.gnupg.net" server? OK, I
> should read gpg manual to find it out… but I won't». And then I will
> not check the signature because I trust the tarball from "gnu.org" but I
> don't trust a thing that I don't understand. (I talk only for myself,
> I think other people are more conscious users)
>
> I think it will be also good to explain what "3D9AEBB5" means.
I would prefer to refer to a more complete document such as the GNU
Privacy Handbook, but I don’t know what its current status is:
https://www.gnupg.org/gph/en/manual.html#AEN136
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22276; Package
guix.
(Sun, 03 Jan 2016 11:23:01 GMT)
Full text and
rfc822 format available.
Message #21 received at 22276 <at> debbugs.gnu.org (full text, mbox):
Seems that the GPH repository given at
<https://www.gnupg.org/download/cvs_access.html> is now unreachable:
--8<---------------cut here---------------start------------->8---
$ cvs -z3 -d :pserver:anoncvs <at> cvs.gnupg.org:/cvs/gph co gph
cvs [checkout aborted]: connect to cvs.gnupg.org(217.69.76.56):2401 failed: Connection refused
--8<---------------cut here---------------end--------------->8---
Incidentally, it’s DocBook, not Texinfo, so not convenient to refer to.
We could refer to the GnuPG manual, but it’s very much a reference
manual and doesn’t introduce OpenPGP concepts.
It sounds like fixing this documentation issue is beyond the scope of
Guix; on possible fix would be to revive the GPH, possibly converting it
to Texinfo and integrating it into GnuPG itself.
Thoughts?
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22276; Package
guix.
(Mon, 04 Jan 2016 09:44:01 GMT)
Full text and
rfc822 format available.
Message #24 received at 22276 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès (2016-01-03 14:10 +0300) wrote:
> Alex Kost <alezost <at> gmail.com> skribis:
>
>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>
>>> I’ve amended that section of the manual based on text from the
>>> announcement (see
>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>> Step 1 becomes:
>>>
>>>
>>> 1. Download the binary tarball from
>>> ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>> where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>> running the kernel Linux, and so on.
>>>
>>> Make sure to download the associated ‘.sig’ file and to verify the
>>> authenticity of the tarball against it, along these lines:
>>>
>>> $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>> $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>
>>> If that command fails because you don’t have the required public
>>> key, then run this command to import it:
>>>
>>> $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>
>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>
> I would expect that the command together with the previous sentence
> suggest that 3D9AEBB5 identifies the key used to sign the package, no?
Hm, not for me. But obviously my problem comes from the fact that I
know nothing about encryption, security, signatures, etc. And as a
total noob I trust binaries from "gnu.org" more than the scaring
"3D9AEBB5" thing just because I don't understand it.
>> Hm, apparently it is some key, but what key? where did it come from? is
>> it from gnu.org or what? maybe it is for "keys.gnupg.net" server? OK, I
>> should read gpg manual to find it out… but I won't». And then I will
>> not check the signature because I trust the tarball from "gnu.org" but I
>> don't trust a thing that I don't understand. (I talk only for myself,
>> I think other people are more conscious users)
>>
>> I think it will be also good to explain what "3D9AEBB5" means.
>
> I would prefer to refer to a more complete document such as the GNU
> Privacy Handbook, but I don’t know what its current status is:
>
> https://www.gnupg.org/gph/en/manual.html#AEN136
Thanks for the pointer! I hope it will clarify some things for me :-)
--
Alex
Information forwarded
to
bug-guix <at> gnu.org:
bug#22276; Package
guix.
(Mon, 04 Jan 2016 09:52:03 GMT)
Full text and
rfc822 format available.
Message #27 received at 22276 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès (2016-01-03 14:22 +0300) wrote:
> Seems that the GPH repository given at
> <https://www.gnupg.org/download/cvs_access.html> is now unreachable:
>
> $ cvs -z3 -d :pserver:anoncvs <at> cvs.gnupg.org:/cvs/gph co gph
> cvs [checkout aborted]: connect to cvs.gnupg.org(217.69.76.56):2401 failed: Connection refused
>
> Incidentally, it’s DocBook, not Texinfo, so not convenient to refer to.
>
> We could refer to the GnuPG manual, but it’s very much a reference
> manual and doesn’t introduce OpenPGP concepts.
Yes, I think a reference to the gpg manual wouldn't help (I didn't find
an answer to my question there)
> It sounds like fixing this documentation issue is beyond the scope of
> Guix;
I agree.
> on possible fix would be to revive the GPH, possibly converting it
> to Texinfo and integrating it into GnuPG itself.
It would be great, but I'm not a volunteer :-)
--
Alex
Information forwarded
to
bug-guix <at> gnu.org:
bug#22276; Package
guix.
(Mon, 04 Jan 2016 10:04:02 GMT)
Full text and
rfc822 format available.
Message #30 received at 22276 <at> debbugs.gnu.org (full text, mbox):
Alex Kost <alezost <at> gmail.com> skribis:
> Ludovic Courtès (2016-01-03 14:10 +0300) wrote:
>
>> Alex Kost <alezost <at> gmail.com> skribis:
>>
>>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>>
>>>> I’ve amended that section of the manual based on text from the
>>>> announcement (see
>>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>>> Step 1 becomes:
>>>>
>>>>
>>>> 1. Download the binary tarball from
>>>> ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>>> where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>>> running the kernel Linux, and so on.
>>>>
>>>> Make sure to download the associated ‘.sig’ file and to verify the
>>>> authenticity of the tarball against it, along these lines:
>>>>
>>>> $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>> $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>>
>>>> If that command fails because you don’t have the required public
>>>> key, then run this command to import it:
>>>>
>>>> $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>>
>>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>>
>> I would expect that the command together with the previous sentence
>> suggest that 3D9AEBB5 identifies the key used to sign the package, no?
>
> Hm, not for me. But obviously my problem comes from the fact that I
> know nothing about encryption, security, signatures, etc. And as a
> total noob I trust binaries from "gnu.org" more than the scaring
> "3D9AEBB5" thing just because I don't understand it.
I see. Though be aware that DNS is easily hijacked, that “gnu.org” can
be made to resolve to something else, and that gnu.org’s machines could
be compromised with an attacker changing the contents of archives
therein, etc.
Digital signatures are the mechanism to allow recipients to verify the
authenticity and integrity of tarballs.
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 01 Feb 2016 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 9 years and 144 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.