unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#22276: .sig
@ 2015-12-31  0:19 carl hansen
  2016-01-01 18:04 ` Ludovic Courtès
  0 siblings, 1 reply; 8+ messages in thread
From: carl hansen @ 2015-12-31  0:19 UTC (permalink / raw)
  To: 22276

[-- Attachment #1: Type: text/plain, Size: 1193 bytes --]

Manual says:
- "Download the binary tarball from ‘ftp://....’2
<http://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#FOOT2>
,Footnotes(2)
<http://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#DOCF2>

"As usual, make sure to download the associated .sig file and to verify the
authenticity of the tarball against it!"

For those who know what you mean by that, the footnote is superfluous, for
those who don't know, it is opaque. I do the usual investigation, come up
with

gpg --verify guix-binary-0.9.0.x86_64-linux.tar.xz.sig
gpg: armor header: Version: GnuPG v2
gpg: assuming signed data in `guix-binary-0.9.0.x86_64-linux.tar.xz'
gpg: Signature made Wed 04 Nov 2015 10:23:38 AM PST using RSA key ID
3D9AEBB5
gpg: Can't check signature: public key not found

after reading the gpg man page, with its multivarous options. So now I need

"gpg --import *.asc" is how you import it into the public keyring

But now I have to find the .asc file...

**UNIX, world's largest Adventure game** as we used to say 30 years ago.

Is there some reason the actual command line to verify the sig cannot be
put into the manual?

[-- Attachment #2: Type: text/html, Size: 1432 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#22276: .sig
  2015-12-31  0:19 bug#22276: .sig carl hansen
@ 2016-01-01 18:04 ` Ludovic Courtès
  2016-01-03  9:20   ` Alex Kost
  0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2016-01-01 18:04 UTC (permalink / raw)
  To: carl hansen; +Cc: 22276

Hi,

I’ve amended that section of the manual based on text from the
announcement (see
<https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
Step 1 becomes:

--8<---------------cut here---------------start------------->8---
  1. Download the binary tarball from
     ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
     where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
     running the kernel Linux, and so on.

     Make sure to download the associated ‘.sig’ file and to verify the
     authenticity of the tarball against it, along these lines:

          $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
          $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig

     If that command fails because you don’t have the required public
     key, then run this command to import it:

          $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5

     and rerun the ‘gpg --verify’ command.
--8<---------------cut here---------------end--------------->8---

Thanks for your feedback!

Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#22276: .sig
  2016-01-01 18:04 ` Ludovic Courtès
@ 2016-01-03  9:20   ` Alex Kost
  2016-01-03 11:10     ` Ludovic Courtès
  2016-01-03 11:22     ` Ludovic Courtès
  0 siblings, 2 replies; 8+ messages in thread
From: Alex Kost @ 2016-01-03  9:20 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 22276

Ludovic Courtès (2016-01-01 21:04 +0300) wrote:

> I’ve amended that section of the manual based on text from the
> announcement (see
> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
> Step 1 becomes:
>
>
>   1. Download the binary tarball from
>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>      running the kernel Linux, and so on.
>
>      Make sure to download the associated ‘.sig’ file and to verify the
>      authenticity of the tarball against it, along these lines:
>
>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>
>      If that command fails because you don’t have the required public
>      key, then run this command to import it:
>
>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5

Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
Hm, apparently it is some key, but what key? where did it come from? is
it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
should read gpg manual to find it out… but I won't».  And then I will
not check the signature because I trust the tarball from "gnu.org" but I
don't trust a thing that I don't understand.  (I talk only for myself,
I think other people are more conscious users)

I think it will be also good to explain what "3D9AEBB5" means.

-- 
Alex

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#22276: .sig
  2016-01-03  9:20   ` Alex Kost
@ 2016-01-03 11:10     ` Ludovic Courtès
  2016-01-04  9:42       ` Alex Kost
  2016-01-03 11:22     ` Ludovic Courtès
  1 sibling, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2016-01-03 11:10 UTC (permalink / raw)
  To: Alex Kost; +Cc: 22276

Alex Kost <alezost@gmail.com> skribis:

> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>
>> I’ve amended that section of the manual based on text from the
>> announcement (see
>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>> Step 1 becomes:
>>
>>
>>   1. Download the binary tarball from
>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>      running the kernel Linux, and so on.
>>
>>      Make sure to download the associated ‘.sig’ file and to verify the
>>      authenticity of the tarball against it, along these lines:
>>
>>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>
>>      If that command fails because you don’t have the required public
>>      key, then run this command to import it:
>>
>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>
> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?

I would expect that the command together with the previous sentence
suggest that 3D9AEBB5 identifies the key used to sign the package, no?

> Hm, apparently it is some key, but what key? where did it come from? is
> it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
> should read gpg manual to find it out… but I won't».  And then I will
> not check the signature because I trust the tarball from "gnu.org" but I
> don't trust a thing that I don't understand.  (I talk only for myself,
> I think other people are more conscious users)
>
> I think it will be also good to explain what "3D9AEBB5" means.

I would prefer to refer to a more complete document such as the GNU
Privacy Handbook, but I don’t know what its current status is:

  https://www.gnupg.org/gph/en/manual.html#AEN136

Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#22276: .sig
  2016-01-03  9:20   ` Alex Kost
  2016-01-03 11:10     ` Ludovic Courtès
@ 2016-01-03 11:22     ` Ludovic Courtès
  2016-01-04  9:50       ` Alex Kost
  1 sibling, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2016-01-03 11:22 UTC (permalink / raw)
  To: Alex Kost; +Cc: 22276

Seems that the GPH repository given at
<https://www.gnupg.org/download/cvs_access.html> is now unreachable:

--8<---------------cut here---------------start------------->8---
$ cvs -z3 -d :pserver:anoncvs@cvs.gnupg.org:/cvs/gph co gph
cvs [checkout aborted]: connect to cvs.gnupg.org(217.69.76.56):2401 failed: Connection refused
--8<---------------cut here---------------end--------------->8---

Incidentally, it’s DocBook, not Texinfo, so not convenient to refer to.

We could refer to the GnuPG manual, but it’s very much a reference
manual and doesn’t introduce OpenPGP concepts.

It sounds like fixing this documentation issue is beyond the scope of
Guix; on possible fix would be to revive the GPH, possibly converting it
to Texinfo and integrating it into GnuPG itself.

Thoughts?

Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#22276: .sig
  2016-01-03 11:10     ` Ludovic Courtès
@ 2016-01-04  9:42       ` Alex Kost
  2016-01-04 10:02         ` Ludovic Courtès
  0 siblings, 1 reply; 8+ messages in thread
From: Alex Kost @ 2016-01-04  9:42 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 22276

Ludovic Courtès (2016-01-03 14:10 +0300) wrote:

> Alex Kost <alezost@gmail.com> skribis:
>
>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>
>>> I’ve amended that section of the manual based on text from the
>>> announcement (see
>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>> Step 1 becomes:
>>>
>>>
>>>   1. Download the binary tarball from
>>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>>      running the kernel Linux, and so on.
>>>
>>>      Make sure to download the associated ‘.sig’ file and to verify the
>>>      authenticity of the tarball against it, along these lines:
>>>
>>>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>
>>>      If that command fails because you don’t have the required public
>>>      key, then run this command to import it:
>>>
>>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>
>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>
> I would expect that the command together with the previous sentence
> suggest that 3D9AEBB5 identifies the key used to sign the package, no?

Hm, not for me.  But obviously my problem comes from the fact that I
know nothing about encryption, security, signatures, etc.  And as a
total noob I trust binaries from "gnu.org" more than the scaring
"3D9AEBB5" thing just because I don't understand it.

>> Hm, apparently it is some key, but what key? where did it come from? is
>> it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
>> should read gpg manual to find it out… but I won't».  And then I will
>> not check the signature because I trust the tarball from "gnu.org" but I
>> don't trust a thing that I don't understand.  (I talk only for myself,
>> I think other people are more conscious users)
>>
>> I think it will be also good to explain what "3D9AEBB5" means.
>
> I would prefer to refer to a more complete document such as the GNU
> Privacy Handbook, but I don’t know what its current status is:
>
>   https://www.gnupg.org/gph/en/manual.html#AEN136

Thanks for the pointer!  I hope it will clarify some things for me :-)

-- 
Alex

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#22276: .sig
  2016-01-03 11:22     ` Ludovic Courtès
@ 2016-01-04  9:50       ` Alex Kost
  0 siblings, 0 replies; 8+ messages in thread
From: Alex Kost @ 2016-01-04  9:50 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 22276

Ludovic Courtès (2016-01-03 14:22 +0300) wrote:

> Seems that the GPH repository given at
> <https://www.gnupg.org/download/cvs_access.html> is now unreachable:
>
> $ cvs -z3 -d :pserver:anoncvs@cvs.gnupg.org:/cvs/gph co gph
> cvs [checkout aborted]: connect to cvs.gnupg.org(217.69.76.56):2401 failed: Connection refused
>
> Incidentally, it’s DocBook, not Texinfo, so not convenient to refer to.
>
> We could refer to the GnuPG manual, but it’s very much a reference
> manual and doesn’t introduce OpenPGP concepts.

Yes, I think a reference to the gpg manual wouldn't help (I didn't find
an answer to my question there)

> It sounds like fixing this documentation issue is beyond the scope of
> Guix;

I agree.

> on possible fix would be to revive the GPH, possibly converting it
> to Texinfo and integrating it into GnuPG itself.

It would be great, but I'm not a volunteer :-)

-- 
Alex

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#22276: .sig
  2016-01-04  9:42       ` Alex Kost
@ 2016-01-04 10:02         ` Ludovic Courtès
  0 siblings, 0 replies; 8+ messages in thread
From: Ludovic Courtès @ 2016-01-04 10:02 UTC (permalink / raw)
  To: Alex Kost; +Cc: 22276

Alex Kost <alezost@gmail.com> skribis:

> Ludovic Courtès (2016-01-03 14:10 +0300) wrote:
>
>> Alex Kost <alezost@gmail.com> skribis:
>>
>>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>>
>>>> I’ve amended that section of the manual based on text from the
>>>> announcement (see
>>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>>> Step 1 becomes:
>>>>
>>>>
>>>>   1. Download the binary tarball from
>>>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>>>      running the kernel Linux, and so on.
>>>>
>>>>      Make sure to download the associated ‘.sig’ file and to verify the
>>>>      authenticity of the tarball against it, along these lines:
>>>>
>>>>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>>
>>>>      If that command fails because you don’t have the required public
>>>>      key, then run this command to import it:
>>>>
>>>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>>
>>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>>
>> I would expect that the command together with the previous sentence
>> suggest that 3D9AEBB5 identifies the key used to sign the package, no?
>
> Hm, not for me.  But obviously my problem comes from the fact that I
> know nothing about encryption, security, signatures, etc.  And as a
> total noob I trust binaries from "gnu.org" more than the scaring
> "3D9AEBB5" thing just because I don't understand it.

I see.  Though be aware that DNS is easily hijacked, that “gnu.org” can
be made to resolve to something else, and that gnu.org’s machines could
be compromised with an attacker changing the contents of archives
therein, etc.

Digital signatures are the mechanism to allow recipients to verify the
authenticity and integrity of tarballs.

Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2016-01-04 10:04 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-31  0:19 bug#22276: .sig carl hansen
2016-01-01 18:04 ` Ludovic Courtès
2016-01-03  9:20   ` Alex Kost
2016-01-03 11:10     ` Ludovic Courtès
2016-01-04  9:42       ` Alex Kost
2016-01-04 10:02         ` Ludovic Courtès
2016-01-03 11:22     ` Ludovic Courtès
2016-01-04  9:50       ` Alex Kost

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).