Public key for verifying emacs sources?

Public key for verifying emacs sources?

[Steve Revilak]

[-- Attachment #1: Type: text/plain, Size: 820 bytes --]

I'm having trouble verifying the pgp signature of the emacs 27.2
sources.  I've downloaded

  https://ftp.gnu.org/gnu/emacs/emacs-27.2.tar.xz, and
  https://ftp.gnu.org/gnu/emacs/emacs-27.2.tar.xz.sig

I'd like to verify the tar.xz file before building, but I'm running
into this:

  $ gpg --verify emacs-27.2.tar.xz.sig
  gpg: assuming signed data in 'emacs-27.2.tar.xz'
  gpg: Signature made Thu 25 Mar 2021 07:53:08 AM EDT
  gpg:                using RSA key 0x91C1262F01EB8D39
  gpg: Can't check signature: No public key

And the keyserver I normally use doesn't know about key
0x91C1262F01EB8D39:

  $ gpg --keyserver keys.openpgp.org --recv-key 0x91C1262F01EB8D39
  gpg: keyserver receive failed: No data

Where can I find a copy of the signing key, so I can verify the source
distribution I've downloaded?

Steve

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Public key for verifying emacs sources?

[Eli Zaretskii]

> Date: Sat, 17 Jul 2021 21:44:31 -0400
> From: Steve Revilak <steve@srevilak.net>
> 
> Where can I find a copy of the signing key, so I can verify the source
> distribution I've downloaded?

Download the latest gnu-keyring.gpg from
https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:

   gpg --import gnu-keyring.gpg

Then try verifying the signature again.

Re: Public key for verifying emacs sources?

[Jean Louis]

* Eli Zaretskii <eliz@gnu.org> [2021-07-18 10:02]:
> > Date: Sat, 17 Jul 2021 21:44:31 -0400
> > From: Steve Revilak <steve@srevilak.net>
> > 
> > Where can I find a copy of the signing key, so I can verify the source
> > distribution I've downloaded?
> 
> Download the latest gnu-keyring.gpg from
> https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:
> 
>    gpg --import gnu-keyring.gpg
> 
> Then try verifying the signature again.

Me too, I have done the import and I see large number of keys. While
it is good that keys are distributed from official GNU.org server,
there is no published assurance that GNU project verified each key to
belong to the person it should belong. Thus one shall not forget
security depends on the weakest part.

In other words, verifying that package belongs to specific key is one
level of security, it does not verify that key belongs to the specific
author that package claim to belong unless both sender and receipient
verify each other's personal identity and fingerprints.

Better security than PGP for Emacs packages on GNU ELPA represents the
fact that many developers and users are looking into packages anyway.

IMHO, PGP in the GNU ELPA is kind of redundant as the true
verification of the keys and fingerprints would be rather tedious
activity.



Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/

Re: Public key for verifying emacs sources?

[Eli Zaretskii]

> Date: Sun, 18 Jul 2021 14:38:07 +0300
> From: Jean Louis <bugs@gnu.support>
> Cc: help-gnu-emacs@gnu.org
> 
> * Eli Zaretskii <eliz@gnu.org> [2021-07-18 10:02]:
> > > Date: Sat, 17 Jul 2021 21:44:31 -0400
> > > From: Steve Revilak <steve@srevilak.net>
> > > 
> > > Where can I find a copy of the signing key, so I can verify the source
> > > distribution I've downloaded?
> > 
> > Download the latest gnu-keyring.gpg from
> > https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:
> > 
> >    gpg --import gnu-keyring.gpg
> > 
> > Then try verifying the signature again.
> 
> Me too, I have done the import and I see large number of keys. While
> it is good that keys are distributed from official GNU.org server,
> there is no published assurance that GNU project verified each key to
> belong to the person it should belong. Thus one shall not forget
> security depends on the weakest part.

Please take this up with the GNU FTP site maintainers.  I didn't
upload my key to any place, I sent them my key and asked for upload
rights.  I don't know what they did with the key.

This issue doesn't belong on this forum anyway.

Re: Public key for verifying emacs sources?

[Steve Revilak]

[-- Attachment #1: Type: text/plain, Size: 339 bytes --]

>> Where can I find a copy of the signing key, so I can verify the source
>> distribution I've downloaded?

>Download the latest gnu-keyring.gpg from
>https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:
>
>   gpg --import gnu-keyring.gpg
>
>Then try verifying the signature again.

That was exactly what I needed -- thanks so much!

Steve

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]