GNU bug report logs -
#22276
Instructions to verify tarball signature are insufficient
Previous Next
Full log
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Manual says:
- "Download the binary tarball from ‘ftp://....’2
<http://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#FOOT2>
,Footnotes(2)
<http://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#DOCF2>
"As usual, make sure to download the associated .sig file and to verify the
authenticity of the tarball against it!"
For those who know what you mean by that, the footnote is superfluous, for
those who don't know, it is opaque. I do the usual investigation, come up
with
gpg --verify guix-binary-0.9.0.x86_64-linux.tar.xz.sig
gpg: armor header: Version: GnuPG v2
gpg: assuming signed data in `guix-binary-0.9.0.x86_64-linux.tar.xz'
gpg: Signature made Wed 04 Nov 2015 10:23:38 AM PST using RSA key ID
3D9AEBB5
gpg: Can't check signature: public key not found
after reading the gpg man page, with its multivarous options. So now I need
"gpg --import *.asc" is how you import it into the public keyring
But now I have to find the .asc file...
**UNIX, world's largest Adventure game** as we used to say 30 years ago.
Is there some reason the actual command line to verify the sig cannot be
put into the manual?
[Message part 2 (text/html, inline)]
This bug report was last modified 9 years and 145 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.