unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Adding fingerprint to Emacs signature file?
@ 2021-11-03  3:50 Tadeus Prastowo
  2021-11-03 12:35 ` Eli Zaretskii
  0 siblings, 1 reply; 4+ messages in thread
From: Tadeus Prastowo @ 2021-11-03  3:50 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: emacs-devel

Hi Eli!

When verifying the signature of an Emacs tarball using gpg with
--auto-key-retrieve, I encounter an error, which does not happen when
verifying the signature of a Linux kernel in the same manner, as
demonstrated below:

1. Test using Linux kernel.
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.xz
https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.sign
unxz < linux-5.11.tar.xz | gpg --keyserver
hkp://keyserver.ubuntu.com:80 --auto-key-retrieve --verify
linux-5.11.tar.sign -

The output of the last command is as follows:
gpg: Signature made Mon 15 Feb 2021 10:11:32 AM CET
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: requesting key 38DBBDC86092693E from hkp server keyserver.ubuntu.com
gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman
<gregkh@linuxfoundation.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Greg Kroah-Hartman
<gregkh@linuxfoundation.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman <gregkh@kernel.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable
release signing key) <greg@kroah.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

2. Test using Emacs.
wget  http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz.sig
http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz
cat emacs-27.2.tar.xz  | gpg --keyserver hkp://keyserver.ubuntu.com:80
--auto-key-retrieve --verify emacs-27.2.tar.xz.sig -

The output of the last command is as follows:
gpg: Signature made Thu 25 Mar 2021 12:53:08 PM CET
gpg:                using RSA key 91C1262F01EB8D39
gpg: Can't check signature: No public key

I have raised the issue in the gnupg-users mailing list, which has
been responded as well:
https://lists.gnupg.org/pipermail/gnupg-users/2021-November/065542.html
and https://lists.gnupg.org/pipermail/gnupg-users/2021-November/065544.html

Would it be possible for future Emacs signature files to have the
issuer fingeprint as well?  Since I have not sought through the Emacs
mailing list archive, I am sorry if this issue has been raised in the
past.

Thank you.

-- 
Best regards,
Tadeus



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-11-03 13:14 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-03  3:50 Adding fingerprint to Emacs signature file? Tadeus Prastowo
2021-11-03 12:35 ` Eli Zaretskii
2021-11-03 12:40   ` Stefan Monnier
2021-11-03 13:14     ` Eli Zaretskii

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).