GNU bug report logs - #22276
Instructions to verify tarball signature are insufficient

Previous Next

Package: guix;

Reported by: carl hansen <carlhansen1234 <at> gmail.com>

Date: Thu, 31 Dec 2015 02:21:02 UTC

Severity: normal

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #24 received at 22276 <at> debbugs.gnu.org (full text, mbox):

From: Alex Kost <alezost <at> gmail.com>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: carl hansen <carlhansen1234 <at> gmail.com>, 22276 <at> debbugs.gnu.org
Subject: Re: bug#22276: .sig
Date: Mon, 04 Jan 2016 12:42:54 +0300

Ludovic Courtès (2016-01-03 14:10 +0300) wrote:

> Alex Kost <alezost <at> gmail.com> skribis:
>
>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>
>>> I’ve amended that section of the manual based on text from the
>>> announcement (see
>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>> Step 1 becomes:
>>>
>>>
>>>   1. Download the binary tarball from
>>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>>      running the kernel Linux, and so on.
>>>
>>>      Make sure to download the associated ‘.sig’ file and to verify the
>>>      authenticity of the tarball against it, along these lines:
>>>
>>>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>
>>>      If that command fails because you don’t have the required public
>>>      key, then run this command to import it:
>>>
>>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>
>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>
> I would expect that the command together with the previous sentence
> suggest that 3D9AEBB5 identifies the key used to sign the package, no?

Hm, not for me.  But obviously my problem comes from the fact that I
know nothing about encryption, security, signatures, etc.  And as a
total noob I trust binaries from "gnu.org" more than the scaring
"3D9AEBB5" thing just because I don't understand it.

>> Hm, apparently it is some key, but what key? where did it come from? is
>> it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
>> should read gpg manual to find it out… but I won't».  And then I will
>> not check the signature because I trust the tarball from "gnu.org" but I
>> don't trust a thing that I don't understand.  (I talk only for myself,
>> I think other people are more conscious users)
>>
>> I think it will be also good to explain what "3D9AEBB5" means.
>
> I would prefer to refer to a more complete document such as the GNU
> Privacy Handbook, but I don’t know what its current status is:
>
>   https://www.gnupg.org/gph/en/manual.html#AEN136

Thanks for the pointer!  I hope it will clarify some things for me :-)

-- 
Alex
This bug report was last modified 9 years and 145 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.