GNU bug report logs - #22276
Instructions to verify tarball signature are insufficient

Previous Next

Package: guix;

Reported by: carl hansen <carlhansen1234 <at> gmail.com>

Date: Thu, 31 Dec 2015 02:21:02 UTC

Severity: normal

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #18 received at 22276 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Alex Kost <alezost <at> gmail.com>
Cc: carl hansen <carlhansen1234 <at> gmail.com>, 22276 <at> debbugs.gnu.org
Subject: Re: bug#22276: .sig
Date: Sun, 03 Jan 2016 12:10:50 +0100

Alex Kost <alezost <at> gmail.com> skribis:

> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>
>> I’ve amended that section of the manual based on text from the
>> announcement (see
>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>> Step 1 becomes:
>>
>>
>>   1. Download the binary tarball from
>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>      running the kernel Linux, and so on.
>>
>>      Make sure to download the associated ‘.sig’ file and to verify the
>>      authenticity of the tarball against it, along these lines:
>>
>>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>
>>      If that command fails because you don’t have the required public
>>      key, then run this command to import it:
>>
>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>
> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?

I would expect that the command together with the previous sentence
suggest that 3D9AEBB5 identifies the key used to sign the package, no?

> Hm, apparently it is some key, but what key? where did it come from? is
> it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
> should read gpg manual to find it out… but I won't».  And then I will
> not check the signature because I trust the tarball from "gnu.org" but I
> don't trust a thing that I don't understand.  (I talk only for myself,
> I think other people are more conscious users)
>
> I think it will be also good to explain what "3D9AEBB5" means.

I would prefer to refer to a more complete document such as the GNU
Privacy Handbook, but I don’t know what its current status is:

  https://www.gnupg.org/gph/en/manual.html#AEN136

Ludo’.
This bug report was last modified 9 years and 145 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.