Adding fingerprint to Emacs signature file?

Adding fingerprint to Emacs signature file?

[Tadeus Prastowo]

Hi Eli!

When verifying the signature of an Emacs tarball using gpg with
--auto-key-retrieve, I encounter an error, which does not happen when
verifying the signature of a Linux kernel in the same manner, as
demonstrated below:

1. Test using Linux kernel.
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.xz
https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.sign
unxz < linux-5.11.tar.xz | gpg --keyserver
hkp://keyserver.ubuntu.com:80 --auto-key-retrieve --verify
linux-5.11.tar.sign -

The output of the last command is as follows:
gpg: Signature made Mon 15 Feb 2021 10:11:32 AM CET
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: requesting key 38DBBDC86092693E from hkp server keyserver.ubuntu.com
gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman
<gregkh@linuxfoundation.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Greg Kroah-Hartman
<gregkh@linuxfoundation.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman <gregkh@kernel.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable
release signing key) <greg@kroah.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

2. Test using Emacs.
wget  http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz.sig
http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz
cat emacs-27.2.tar.xz  | gpg --keyserver hkp://keyserver.ubuntu.com:80
--auto-key-retrieve --verify emacs-27.2.tar.xz.sig -

The output of the last command is as follows:
gpg: Signature made Thu 25 Mar 2021 12:53:08 PM CET
gpg:                using RSA key 91C1262F01EB8D39
gpg: Can't check signature: No public key

I have raised the issue in the gnupg-users mailing list, which has
been responded as well:
https://lists.gnupg.org/pipermail/gnupg-users/2021-November/065542.html
and https://lists.gnupg.org/pipermail/gnupg-users/2021-November/065544.html

Would it be possible for future Emacs signature files to have the
issuer fingeprint as well?  Since I have not sought through the Emacs
mailing list archive, I am sorry if this issue has been raised in the
past.

Thank you.

-- 
Best regards,
Tadeus

Re: Adding fingerprint to Emacs signature file?

[Eli Zaretskii]

> From: Tadeus Prastowo <0x66726565@gmail.com>
> Date: Wed, 3 Nov 2021 04:50:05 +0100
> Cc: emacs-devel@gnu.org
> 
> 2. Test using Emacs.
> wget  http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz.sig
> http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz
> cat emacs-27.2.tar.xz  | gpg --keyserver hkp://keyserver.ubuntu.com:80
> --auto-key-retrieve --verify emacs-27.2.tar.xz.sig -
> 
> The output of the last command is as follows:
> gpg: Signature made Thu 25 Mar 2021 12:53:08 PM CET
> gpg:                using RSA key 91C1262F01EB8D39
> gpg: Can't check signature: No public key

You need to do this, I think:

  gpg --import gnu-keyring.gpg

> Would it be possible for future Emacs signature files to have the
> issuer fingeprint as well?  Since I have not sought through the Emacs
> mailing list archive, I am sorry if this issue has been raised in the
> past.

I was using the procedure provided for all the GNU FTP uploaders.  I
don't know what your proposal means in terms of changes to that
procedure, but I suggest to raise it with the relevant people, at
ftp-upload@gnu.org.

Re: Adding fingerprint to Emacs signature file?

[Stefan Monnier]

> I was using the procedure provided for all the GNU FTP uploaders.  I
> don't know what your proposal means in terms of changes to that
> procedure, but I suggest to raise it with the relevant people, at
> ftp-upload@gnu.org.

AFAIK it means the signing operation needs to be performed with a GPG
version newer than 2.1.16


        Stefan

Re: Adding fingerprint to Emacs signature file?

[Eli Zaretskii]

> From: Stefan Monnier <monnier@iro.umontreal.ca>
> Cc: Tadeus Prastowo <0x66726565@gmail.com>,  emacs-devel@gnu.org
> Date: Wed, 03 Nov 2021 08:40:12 -0400
> 
> > I was using the procedure provided for all the GNU FTP uploaders.  I
> > don't know what your proposal means in terms of changes to that
> > procedure, but I suggest to raise it with the relevant people, at
> > ftp-upload@gnu.org.
> 
> AFAIK it means the signing operation needs to be performed with a GPG
> version newer than 2.1.16

I used the version of GPG that was installed on the GNU server where I
tarred the release.