GNU bug report logs - #22276
Instructions to verify tarball signature are insufficient

Previous Next

Package: guix;

Reported by: carl hansen <carlhansen1234 <at> gmail.com>

Date: Thu, 31 Dec 2015 02:21:02 UTC

Severity: normal

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: carl hansen <carlhansen1234 <at> gmail.com>
Cc: 22276 <at> debbugs.gnu.org
Subject: bug#22276: .sig
Date: Fri, 01 Jan 2016 19:04:38 +0100

Hi,

I’ve amended that section of the manual based on text from the
announcement (see
<https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
Step 1 becomes:

--8<---------------cut here---------------start------------->8---
  1. Download the binary tarball from
     ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
     where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
     running the kernel Linux, and so on.

     Make sure to download the associated ‘.sig’ file and to verify the
     authenticity of the tarball against it, along these lines:

          $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
          $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig

     If that command fails because you don’t have the required public
     key, then run this command to import it:

          $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5

     and rerun the ‘gpg --verify’ command.
--8<---------------cut here---------------end--------------->8---

Thanks for your feedback!

Ludo’.
This bug report was last modified 9 years and 145 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.