From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tadeus Prastowo <0x66726565@gmail.com> Newsgroups: gmane.emacs.devel Subject: Adding fingerprint to Emacs signature file? Date: Wed, 3 Nov 2021 04:50:05 +0100 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="18094"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Nov 03 04:53:45 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mi7LN-0004Wc-OV for ged-emacs-devel@m.gmane-mx.org; Wed, 03 Nov 2021 04:53:45 +0100 Original-Received: from localhost ([::1]:60802 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mi7LL-0001ZW-RN for ged-emacs-devel@m.gmane-mx.org; Tue, 02 Nov 2021 23:53:43 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:43970) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <0x66726565@gmail.com>) id 1mi7I3-0005Ft-TJ for emacs-devel@gnu.org; Tue, 02 Nov 2021 23:50:19 -0400 Original-Received: from mail-qv1-xf2f.google.com ([2607:f8b0:4864:20::f2f]:39639) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <0x66726565@gmail.com>) id 1mi7I2-0005vF-7G; Tue, 02 Nov 2021 23:50:19 -0400 Original-Received: by mail-qv1-xf2f.google.com with SMTP id k29so1460695qve.6; Tue, 02 Nov 2021 20:50:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=1qhfEViVapgXGteT58Y52nxhX8ymt/Akwjccv2G1YP8=; b=nLSWBmvVy+c+7ZXozTdFiwjHz4PlV0PeY2TBrEQbycBtIBEZLwXVtVk+sThj1K1pqk NKcNZQVL1V2wWevxrLY6NMcaLqOL0hfx4784miJzovtDdW3JGnoYAFDWMN8+LDmxh+q/ R5/fYpzbRU5AGH7J16FmAZ8J+5NkjfX/JreqU3FGRHDhNmqFtn5vdXla7oq1upPnM5hg ZKjKSinwutpyqVbOBDKJDn2QkxrJy7s5SIMLWoJoQcWMvi8EAdeHuOdtMDBjOPG6anK3 GrSiwk1ipvm5QurZuco/DjzhymwL29vBDI44ttJUMJTVyd+IT4RPDwx23Hc6UQqkDg27 pDnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=1qhfEViVapgXGteT58Y52nxhX8ymt/Akwjccv2G1YP8=; b=b5IAMJKDUrf/hfAmJJxaDp+kY7Dhf4NA/7zFD5QCTiVWoA//FdTRIhruyDbn0dwZVJ i56fvDVLvXrrGgmURbzUsaswvmmRGchTmh4QltjSq0tyWJMJoRUOUpaUzzZBdsxdY3us AVOEAZKUe1ARssVZwaZt8no1s7WWpfDzWJZkg+cdld4V3ri3H9GxbCkmmnYtUXrK/6an /qDb2nLPPOBK/eOR6XtndAfq3axdlhmZbumLwCrxZo/P3dV9zsEsAhlz1f9XEM4Wpi6Y 02ofbHZpdrZHig3L6c9EG87yWV0Ua+TsFatOrj0uGnP++l/d4XfclpECo6VbeQheeAdN YFFw== X-Gm-Message-State: AOAM532zBGKGz8vG1pK7I6ZPlXglpYvFjKHftlixrkQ3CyOp5Hm54QFG vo/yghU1PXiMy4J1KEQfSl8bzUdwBWe5lBFiH5RIKado7Q== X-Google-Smtp-Source: ABdhPJwVogCoP6F2WZpbEJ7Ym4bAypmgA/6Z+PJqXWEl1ckCkoTJSddLUCiMOCFiQgZgl37B6rnevo5eieNH8ptxr3Y= X-Received: by 2002:ac8:7f81:: with SMTP id z1mr19581295qtj.40.1635911416198; Tue, 02 Nov 2021 20:50:16 -0700 (PDT) Received-SPF: pass client-ip=2607:f8b0:4864:20::f2f; envelope-from=0x66726565@gmail.com; helo=mail-qv1-xf2f.google.com X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:278559 Archived-At: Hi Eli! When verifying the signature of an Emacs tarball using gpg with --auto-key-retrieve, I encounter an error, which does not happen when verifying the signature of a Linux kernel in the same manner, as demonstrated below: 1. Test using Linux kernel. wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.xz https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.sign unxz < linux-5.11.tar.xz | gpg --keyserver hkp://keyserver.ubuntu.com:80 --auto-key-retrieve --verify linux-5.11.tar.sign - The output of the last command is as follows: gpg: Signature made Mon 15 Feb 2021 10:11:32 AM CET gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E gpg: requesting key 38DBBDC86092693E from hkp server keyserver.ubuntu.com gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman " imported gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Greg Kroah-Hartman " [unknown] gpg: aka "Greg Kroah-Hartman " [unknown] gpg: aka "Greg Kroah-Hartman (Linux kernel stable release signing key) " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E 2. Test using Emacs. wget http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz.sig http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz cat emacs-27.2.tar.xz | gpg --keyserver hkp://keyserver.ubuntu.com:80 --auto-key-retrieve --verify emacs-27.2.tar.xz.sig - The output of the last command is as follows: gpg: Signature made Thu 25 Mar 2021 12:53:08 PM CET gpg: using RSA key 91C1262F01EB8D39 gpg: Can't check signature: No public key I have raised the issue in the gnupg-users mailing list, which has been responded as well: https://lists.gnupg.org/pipermail/gnupg-users/2021-November/065542.html and https://lists.gnupg.org/pipermail/gnupg-users/2021-November/065544.html Would it be possible for future Emacs signature files to have the issuer fingeprint as well? Since I have not sought through the Emacs mailing list archive, I am sorry if this issue has been raised in the past. Thank you. -- Best regards, Tadeus