GNU bug report logs - #22276
Instructions to verify tarball signature are insufficient

Previous Next

Package: guix;

Reported by: carl hansen <carlhansen1234 <at> gmail.com>

Date: Thu, 31 Dec 2015 02:21:02 UTC

Severity: normal

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #30 received at 22276 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Alex Kost <alezost <at> gmail.com>
Cc: carl hansen <carlhansen1234 <at> gmail.com>, 22276 <at> debbugs.gnu.org
Subject: Re: bug#22276: .sig
Date: Mon, 04 Jan 2016 11:02:45 +0100

Alex Kost <alezost <at> gmail.com> skribis:

> Ludovic Courtès (2016-01-03 14:10 +0300) wrote:
>
>> Alex Kost <alezost <at> gmail.com> skribis:
>>
>>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>>
>>>> I’ve amended that section of the manual based on text from the
>>>> announcement (see
>>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>>> Step 1 becomes:
>>>>
>>>>
>>>>   1. Download the binary tarball from
>>>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>>>      running the kernel Linux, and so on.
>>>>
>>>>      Make sure to download the associated ‘.sig’ file and to verify the
>>>>      authenticity of the tarball against it, along these lines:
>>>>
>>>>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>>
>>>>      If that command fails because you don’t have the required public
>>>>      key, then run this command to import it:
>>>>
>>>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>>
>>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>>
>> I would expect that the command together with the previous sentence
>> suggest that 3D9AEBB5 identifies the key used to sign the package, no?
>
> Hm, not for me.  But obviously my problem comes from the fact that I
> know nothing about encryption, security, signatures, etc.  And as a
> total noob I trust binaries from "gnu.org" more than the scaring
> "3D9AEBB5" thing just because I don't understand it.

I see.  Though be aware that DNS is easily hijacked, that “gnu.org” can
be made to resolve to something else, and that gnu.org’s machines could
be compromised with an attacker changing the contents of archives
therein, etc.

Digital signatures are the mechanism to allow recipients to verify the
authenticity and integrity of tarballs.

Ludo’.
This bug report was last modified 9 years and 145 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.