From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#22276: .sig Date: Sun, 03 Jan 2016 12:10:50 +0100 Message-ID: <874meuyl39.fsf@gnu.org> References: <874mexi3bd.fsf@gnu.org> <87d1tjxbmk.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58903) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aFgZy-0005tE-Bv for bug-guix@gnu.org; Sun, 03 Jan 2016 06:12:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aFgZt-0002Tg-So for bug-guix@gnu.org; Sun, 03 Jan 2016 06:12:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:47634) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aFgZt-0002Tc-Pf for bug-guix@gnu.org; Sun, 03 Jan 2016 06:12:01 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1aFgZt-0001rX-Ma for bug-guix@gnu.org; Sun, 03 Jan 2016 06:12:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87d1tjxbmk.fsf@gmail.com> (Alex Kost's message of "Sun, 03 Jan 2016 12:20:35 +0300") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Alex Kost Cc: 22276@debbugs.gnu.org Alex Kost skribis: > Ludovic Court=C3=A8s (2016-01-01 21:04 +0300) wrote: > >> I=E2=80=99ve amended that section of the manual based on text from the >> announcement (see >> ). >> Step 1 becomes: >> >> >> 1. Download the binary tarball from >> =E2=80=98ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.= xz=E2=80=99, >> where SYSTEM is =E2=80=98x86_64-linux=E2=80=99 for an =E2=80=98x86_= 64=E2=80=99 machine already >> running the kernel Linux, and so on. >> >> Make sure to download the associated =E2=80=98.sig=E2=80=99 file an= d to verify the >> authenticity of the tarball against it, along these lines: >> >> $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.t= ar.xz.sig >> $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig >> >> If that command fails because you don=E2=80=99t have the required p= ublic >> key, then run this command to import it: >> >> $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5 > > Being a lazy user, my first question is: =C2=ABWhat is this "3D9AEBB5" th= ing? I would expect that the command together with the previous sentence suggest that 3D9AEBB5 identifies the key used to sign the package, no? > Hm, apparently it is some key, but what key? where did it come from? is > it from gnu.org or what? maybe it is for "keys.gnupg.net" server? OK, I > should read gpg manual to find it out=E2=80=A6 but I won't=C2=BB. And th= en I will > not check the signature because I trust the tarball from "gnu.org" but I > don't trust a thing that I don't understand. (I talk only for myself, > I think other people are more conscious users) > > I think it will be also good to explain what "3D9AEBB5" means. I would prefer to refer to a more complete document such as the GNU Privacy Handbook, but I don=E2=80=99t know what its current status is: https://www.gnupg.org/gph/en/manual.html#AEN136 Ludo=E2=80=99.