GNU bug report logs - #22276
Instructions to verify tarball signature are insufficient

Previous Next

Full log

Message #15 received at 22276 <at> debbugs.gnu.org (full text, mbox):

From: Alex Kost <alezost <at> gmail.com>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: carl hansen <carlhansen1234 <at> gmail.com>, 22276 <at> debbugs.gnu.org
Subject: Re: bug#22276: .sig
Date: Sun, 03 Jan 2016 12:20:35 +0300

Ludovic Courtès (2016-01-01 21:04 +0300) wrote:

> I’ve amended that section of the manual based on text from the
> announcement (see
> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
> Step 1 becomes:
>
>
>   1. Download the binary tarball from
>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>      running the kernel Linux, and so on.
>
>      Make sure to download the associated ‘.sig’ file and to verify the
>      authenticity of the tarball against it, along these lines:
>
>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>
>      If that command fails because you don’t have the required public
>      key, then run this command to import it:
>
>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5

Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
Hm, apparently it is some key, but what key? where did it come from? is
it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
should read gpg manual to find it out… but I won't».  And then I will
not check the signature because I trust the tarball from "gnu.org" but I
don't trust a thing that I don't understand.  (I talk only for myself,
I think other people are more conscious users)

I think it will be also good to explain what "3D9AEBB5" means.

-- 
Alex

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.