From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.help Subject: Re: Public key for verifying emacs sources? Date: Sun, 18 Jul 2021 14:38:07 +0300 Message-ID: References: <20210718014431.GA18267@srevilak.net> <83mtqk2jj7.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="2138"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.0.7+183 (3d24855) (2021-05-28) Cc: help-gnu-emacs@gnu.org To: Eli Zaretskii Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Sun Jul 18 13:43:12 2021 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1m55CS-0000No-Le for geh-help-gnu-emacs@m.gmane-mx.org; Sun, 18 Jul 2021 13:43:12 +0200 Original-Received: from localhost ([::1]:38440 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m55CR-0003tq-K5 for geh-help-gnu-emacs@m.gmane-mx.org; Sun, 18 Jul 2021 07:43:11 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:36486) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m55BY-0003si-0Q for help-gnu-emacs@gnu.org; Sun, 18 Jul 2021 07:42:16 -0400 Original-Received: from stw1.rcdrun.com ([217.170.207.13]:49127) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m55BW-000606-8O; Sun, 18 Jul 2021 07:42:15 -0400 Original-Received: from localhost ([::ffff:197.157.0.54]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000057D88.0000000060F41372.00004FA3; Sun, 18 Jul 2021 04:41:38 -0700 Mail-Followup-To: Eli Zaretskii , help-gnu-emacs@gnu.org Content-Disposition: inline In-Reply-To: <83mtqk2jj7.fsf@gnu.org> Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: 29 X-Spam_score: 2.9 X-Spam_bar: ++ X-Spam_report: (2.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:131824 Archived-At: * Eli Zaretskii [2021-07-18 10:02]: > > Date: Sat, 17 Jul 2021 21:44:31 -0400 > > From: Steve Revilak > > > > Where can I find a copy of the signing key, so I can verify the source > > distribution I've downloaded? > > Download the latest gnu-keyring.gpg from > https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type: > > gpg --import gnu-keyring.gpg > > Then try verifying the signature again. Me too, I have done the import and I see large number of keys. While it is good that keys are distributed from official GNU.org server, there is no published assurance that GNU project verified each key to belong to the person it should belong. Thus one shall not forget security depends on the weakest part. In other words, verifying that package belongs to specific key is one level of security, it does not verify that key belongs to the specific author that package claim to belong unless both sender and receipient verify each other's personal identity and fingerprints. Better security than PGP for Emacs packages on GNU ELPA represents the fact that many developers and users are looking into packages anyway. IMHO, PGP in the GNU ELPA is kind of redundant as the true verification of the keys and fingerprints would be rather tedious activity. Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/