From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Kost Subject: bug#22276: .sig Date: Mon, 04 Jan 2016 12:42:54 +0300 Message-ID: <87si2dwuht.fsf@gmail.com> References: <874mexi3bd.fsf@gnu.org> <87d1tjxbmk.fsf@gmail.com> <874meuyl39.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41494) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aG1gN-0005LT-EQ for bug-guix@gnu.org; Mon, 04 Jan 2016 04:44:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aG1gI-0002wV-D6 for bug-guix@gnu.org; Mon, 04 Jan 2016 04:44:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:48889) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aG1gI-0002wL-9V for bug-guix@gnu.org; Mon, 04 Jan 2016 04:44:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1aG1gH-0001tQ-U0 for bug-guix@gnu.org; Mon, 04 Jan 2016 04:44:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <874meuyl39.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Sun, 03 Jan 2016 12:10:50 +0100") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 22276@debbugs.gnu.org Ludovic Court=C3=A8s (2016-01-03 14:10 +0300) wrote: > Alex Kost skribis: > >> Ludovic Court=C3=A8s (2016-01-01 21:04 +0300) wrote: >> >>> I=E2=80=99ve amended that section of the manual based on text from the >>> announcement (see >>> ). >>> Step 1 becomes: >>> >>> >>> 1. Download the binary tarball from >>> =E2=80=98ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar= .xz=E2=80=99, >>> where SYSTEM is =E2=80=98x86_64-linux=E2=80=99 for an =E2=80=98x86= _64=E2=80=99 machine already >>> running the kernel Linux, and so on. >>> >>> Make sure to download the associated =E2=80=98.sig=E2=80=99 file a= nd to verify the >>> authenticity of the tarball against it, along these lines: >>> >>> $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.= tar.xz.sig >>> $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig >>> >>> If that command fails because you don=E2=80=99t have the required = public >>> key, then run this command to import it: >>> >>> $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5 >> >> Being a lazy user, my first question is: =C2=ABWhat is this "3D9AEBB5" t= hing? > > I would expect that the command together with the previous sentence > suggest that 3D9AEBB5 identifies the key used to sign the package, no? Hm, not for me. But obviously my problem comes from the fact that I know nothing about encryption, security, signatures, etc. And as a total noob I trust binaries from "gnu.org" more than the scaring "3D9AEBB5" thing just because I don't understand it. >> Hm, apparently it is some key, but what key? where did it come from? is >> it from gnu.org or what? maybe it is for "keys.gnupg.net" server? OK, I >> should read gpg manual to find it out=E2=80=A6 but I won't=C2=BB. And t= hen I will >> not check the signature because I trust the tarball from "gnu.org" but I >> don't trust a thing that I don't understand. (I talk only for myself, >> I think other people are more conscious users) >> >> I think it will be also good to explain what "3D9AEBB5" means. > > I would prefer to refer to a more complete document such as the GNU > Privacy Handbook, but I don=E2=80=99t know what its current status is: > > https://www.gnupg.org/gph/en/manual.html#AEN136 Thanks for the pointer! I hope it will clarify some things for me :-) --=20 Alex