* Public key for verifying emacs sources?
@ 2021-07-18 1:44 Steve Revilak
2021-07-18 7:00 ` Eli Zaretskii
0 siblings, 1 reply; 5+ messages in thread
From: Steve Revilak @ 2021-07-18 1:44 UTC (permalink / raw)
To: help-gnu-emacs
[-- Attachment #1: Type: text/plain, Size: 820 bytes --]
I'm having trouble verifying the pgp signature of the emacs 27.2
sources. I've downloaded
https://ftp.gnu.org/gnu/emacs/emacs-27.2.tar.xz, and
https://ftp.gnu.org/gnu/emacs/emacs-27.2.tar.xz.sig
I'd like to verify the tar.xz file before building, but I'm running
into this:
$ gpg --verify emacs-27.2.tar.xz.sig
gpg: assuming signed data in 'emacs-27.2.tar.xz'
gpg: Signature made Thu 25 Mar 2021 07:53:08 AM EDT
gpg: using RSA key 0x91C1262F01EB8D39
gpg: Can't check signature: No public key
And the keyserver I normally use doesn't know about key
0x91C1262F01EB8D39:
$ gpg --keyserver keys.openpgp.org --recv-key 0x91C1262F01EB8D39
gpg: keyserver receive failed: No data
Where can I find a copy of the signing key, so I can verify the source
distribution I've downloaded?
Steve
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Public key for verifying emacs sources?
2021-07-18 1:44 Public key for verifying emacs sources? Steve Revilak
@ 2021-07-18 7:00 ` Eli Zaretskii
2021-07-18 11:38 ` Jean Louis
2021-07-18 14:08 ` Steve Revilak
0 siblings, 2 replies; 5+ messages in thread
From: Eli Zaretskii @ 2021-07-18 7:00 UTC (permalink / raw)
To: help-gnu-emacs
> Date: Sat, 17 Jul 2021 21:44:31 -0400
> From: Steve Revilak <steve@srevilak.net>
>
> Where can I find a copy of the signing key, so I can verify the source
> distribution I've downloaded?
Download the latest gnu-keyring.gpg from
https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:
gpg --import gnu-keyring.gpg
Then try verifying the signature again.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Public key for verifying emacs sources?
2021-07-18 7:00 ` Eli Zaretskii
@ 2021-07-18 11:38 ` Jean Louis
2021-07-18 12:05 ` Eli Zaretskii
2021-07-18 14:08 ` Steve Revilak
1 sibling, 1 reply; 5+ messages in thread
From: Jean Louis @ 2021-07-18 11:38 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: help-gnu-emacs
* Eli Zaretskii <eliz@gnu.org> [2021-07-18 10:02]:
> > Date: Sat, 17 Jul 2021 21:44:31 -0400
> > From: Steve Revilak <steve@srevilak.net>
> >
> > Where can I find a copy of the signing key, so I can verify the source
> > distribution I've downloaded?
>
> Download the latest gnu-keyring.gpg from
> https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:
>
> gpg --import gnu-keyring.gpg
>
> Then try verifying the signature again.
Me too, I have done the import and I see large number of keys. While
it is good that keys are distributed from official GNU.org server,
there is no published assurance that GNU project verified each key to
belong to the person it should belong. Thus one shall not forget
security depends on the weakest part.
In other words, verifying that package belongs to specific key is one
level of security, it does not verify that key belongs to the specific
author that package claim to belong unless both sender and receipient
verify each other's personal identity and fingerprints.
Better security than PGP for Emacs packages on GNU ELPA represents the
fact that many developers and users are looking into packages anyway.
IMHO, PGP in the GNU ELPA is kind of redundant as the true
verification of the keys and fingerprints would be rather tedious
activity.
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
In support of Richard M. Stallman
https://stallmansupport.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Public key for verifying emacs sources?
2021-07-18 11:38 ` Jean Louis
@ 2021-07-18 12:05 ` Eli Zaretskii
0 siblings, 0 replies; 5+ messages in thread
From: Eli Zaretskii @ 2021-07-18 12:05 UTC (permalink / raw)
To: help-gnu-emacs
> Date: Sun, 18 Jul 2021 14:38:07 +0300
> From: Jean Louis <bugs@gnu.support>
> Cc: help-gnu-emacs@gnu.org
>
> * Eli Zaretskii <eliz@gnu.org> [2021-07-18 10:02]:
> > > Date: Sat, 17 Jul 2021 21:44:31 -0400
> > > From: Steve Revilak <steve@srevilak.net>
> > >
> > > Where can I find a copy of the signing key, so I can verify the source
> > > distribution I've downloaded?
> >
> > Download the latest gnu-keyring.gpg from
> > https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:
> >
> > gpg --import gnu-keyring.gpg
> >
> > Then try verifying the signature again.
>
> Me too, I have done the import and I see large number of keys. While
> it is good that keys are distributed from official GNU.org server,
> there is no published assurance that GNU project verified each key to
> belong to the person it should belong. Thus one shall not forget
> security depends on the weakest part.
Please take this up with the GNU FTP site maintainers. I didn't
upload my key to any place, I sent them my key and asked for upload
rights. I don't know what they did with the key.
This issue doesn't belong on this forum anyway.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Public key for verifying emacs sources?
2021-07-18 7:00 ` Eli Zaretskii
2021-07-18 11:38 ` Jean Louis
@ 2021-07-18 14:08 ` Steve Revilak
1 sibling, 0 replies; 5+ messages in thread
From: Steve Revilak @ 2021-07-18 14:08 UTC (permalink / raw)
To: help-gnu-emacs
[-- Attachment #1: Type: text/plain, Size: 339 bytes --]
>> Where can I find a copy of the signing key, so I can verify the source
>> distribution I've downloaded?
>Download the latest gnu-keyring.gpg from
>https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:
>
> gpg --import gnu-keyring.gpg
>
>Then try verifying the signature again.
That was exactly what I needed -- thanks so much!
Steve
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-07-18 14:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-07-18 1:44 Public key for verifying emacs sources? Steve Revilak
2021-07-18 7:00 ` Eli Zaretskii
2021-07-18 11:38 ` Jean Louis
2021-07-18 12:05 ` Eli Zaretskii
2021-07-18 14:08 ` Steve Revilak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).