From: ludo@gnu.org (Ludovic Courtès)
To: Alex Kost <alezost@gmail.com>
Cc: 22276@debbugs.gnu.org
Subject: bug#22276: .sig
Date: Mon, 04 Jan 2016 11:02:45 +0100 [thread overview]
Message-ID: <87y4c5d5mi.fsf@gnu.org> (raw)
In-Reply-To: <87si2dwuht.fsf@gmail.com> (Alex Kost's message of "Mon, 04 Jan 2016 12:42:54 +0300")
Alex Kost <alezost@gmail.com> skribis:
> Ludovic Courtès (2016-01-03 14:10 +0300) wrote:
>
>> Alex Kost <alezost@gmail.com> skribis:
>>
>>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>>
>>>> I’ve amended that section of the manual based on text from the
>>>> announcement (see
>>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>>> Step 1 becomes:
>>>>
>>>>
>>>> 1. Download the binary tarball from
>>>> ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>>> where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>>> running the kernel Linux, and so on.
>>>>
>>>> Make sure to download the associated ‘.sig’ file and to verify the
>>>> authenticity of the tarball against it, along these lines:
>>>>
>>>> $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>> $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>>
>>>> If that command fails because you don’t have the required public
>>>> key, then run this command to import it:
>>>>
>>>> $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>>
>>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>>
>> I would expect that the command together with the previous sentence
>> suggest that 3D9AEBB5 identifies the key used to sign the package, no?
>
> Hm, not for me. But obviously my problem comes from the fact that I
> know nothing about encryption, security, signatures, etc. And as a
> total noob I trust binaries from "gnu.org" more than the scaring
> "3D9AEBB5" thing just because I don't understand it.
I see. Though be aware that DNS is easily hijacked, that “gnu.org” can
be made to resolve to something else, and that gnu.org’s machines could
be compromised with an attacker changing the contents of archives
therein, etc.
Digital signatures are the mechanism to allow recipients to verify the
authenticity and integrity of tarballs.
Ludo’.
next prev parent reply other threads:[~2016-01-04 10:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-31 0:19 bug#22276: .sig carl hansen
2016-01-01 18:04 ` Ludovic Courtès
2016-01-03 9:20 ` Alex Kost
2016-01-03 11:10 ` Ludovic Courtès
2016-01-04 9:42 ` Alex Kost
2016-01-04 10:02 ` Ludovic Courtès [this message]
2016-01-03 11:22 ` Ludovic Courtès
2016-01-04 9:50 ` Alex Kost
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y4c5d5mi.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=22276@debbugs.gnu.org \
--cc=alezost@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).