GNU bug report logs - #29540
[PATCH] gnu: spice: Update to 0.14.0.

Previous Next

Package: guix-patches;

Reported by: Andy Patterson <ajpatter <at> uwaterloo.ca>

Date: Sat, 2 Dec 2017 23:13:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 29540 <at> debbugs.gnu.org (full text, mbox):

From: Andy Patterson <ajpatter <at> uwaterloo.ca>
To: Leo Famulari <leo <at> famulari.name>, 29540 <at> debbugs.gnu.org
Subject: Re: [bug#29540] [PATCH] gnu: spice: Update to 0.14.0.
Date: Sun, 3 Dec 2017 00:41:02 -0500

Hi Leo,

On Sat, 2 Dec 2017 19:41:23 -0500
Leo Famulari <leo <at> famulari.name> wrote:

> On Sat, Dec 02, 2017 at 05:23:27PM -0500, Andy Patterson wrote:
> > I downloaded the sources over https, but I didn't verify them
> > against the signature provided, since I couldn't figure out where
> > to download the keys from. Tips on how to find keys in general
> > would be appreciated.  
> 
> "How to use GnuPG" is probably best left to the experts:
> 
> https://gnupg.org/documentation/guides.html
> 
> But here's how I would acquire this key and verify the signature. Note
> that the crucial identifier, the key fingerprint, is provided in the
> error message of the first command.
> 
> ------
> $ gpg --verify spice-0.14.0.tar.bz2.sign                   
> gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
> gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
> gpg:                using RSA key
> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Can't check signature:
> No public key
> 
> $ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys
> 94A9F75661F77A6168649B23A9D8C21429AC6C82
> 
> $ gpg --verify
> spice-0.14.0.tar.bz2.sign gpg: assuming signed data in
> 'spice-0.14.0.tar.bz2' gpg: Signature made Wed 11 Oct 2017 07:33:58
> AM EDT gpg:                using RSA key
> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Good signature from
> "Christophe Fergeau (teuf) <christophe <at> fergeau.eu>" [unknown]
> gpg:                 aka "Christophe Fergeau
> <teuf <at> gnome.org>" [unknown] gpg:                 aka "Christophe
> Fergeau <cfergeau <at> gmail.com>" [unknown] gpg:                 aka
> "Christophe Fergeau <cfergeau <at> redhat.com>" [unknown] gpg: WARNING:
> This key is not certified with a trusted signature! gpg:
> There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 94A9 F756 61F7 7A61 6864  9B23 A9D8 C214
> 29AC 6C82 ------
> 

Ooh, thanks.

> We can be reasonably sure that someone with that private key signed
> the tarball. Now, is it the right key? Hopefully the upstream
> documentation says which keys are considered "authorized" to sign
> Spice releases.

I didn't find anything. *shrugs*

--
Andy
This bug report was last modified 7 years and 248 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.