From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#22276: .sig Date: Mon, 04 Jan 2016 11:02:45 +0100 Message-ID: <87y4c5d5mi.fsf@gnu.org> References: <874mexi3bd.fsf@gnu.org> <87d1tjxbmk.fsf@gmail.com> <874meuyl39.fsf@gnu.org> <87si2dwuht.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45986) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aG1zh-0001xo-Uu for bug-guix@gnu.org; Mon, 04 Jan 2016 05:04:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aG1ze-00076m-Lw for bug-guix@gnu.org; Mon, 04 Jan 2016 05:04:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:48919) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aG1ze-00076i-Ig for bug-guix@gnu.org; Mon, 04 Jan 2016 05:04:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1aG1ze-0002Ol-Cr for bug-guix@gnu.org; Mon, 04 Jan 2016 05:04:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87si2dwuht.fsf@gmail.com> (Alex Kost's message of "Mon, 04 Jan 2016 12:42:54 +0300") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Alex Kost Cc: 22276@debbugs.gnu.org Alex Kost skribis: > Ludovic Court=C3=A8s (2016-01-03 14:10 +0300) wrote: > >> Alex Kost skribis: >> >>> Ludovic Court=C3=A8s (2016-01-01 21:04 +0300) wrote: >>> >>>> I=E2=80=99ve amended that section of the manual based on text from the >>>> announcement (see >>>> ). >>>> Step 1 becomes: >>>> >>>> >>>> 1. Download the binary tarball from >>>> =E2=80=98ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.ta= r.xz=E2=80=99, >>>> where SYSTEM is =E2=80=98x86_64-linux=E2=80=99 for an =E2=80=98x8= 6_64=E2=80=99 machine already >>>> running the kernel Linux, and so on. >>>> >>>> Make sure to download the associated =E2=80=98.sig=E2=80=99 file = and to verify the >>>> authenticity of the tarball against it, along these lines: >>>> >>>> $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM= .tar.xz.sig >>>> $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig >>>> >>>> If that command fails because you don=E2=80=99t have the required= public >>>> key, then run this command to import it: >>>> >>>> $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5 >>> >>> Being a lazy user, my first question is: =C2=ABWhat is this "3D9AEBB5" = thing? >> >> I would expect that the command together with the previous sentence >> suggest that 3D9AEBB5 identifies the key used to sign the package, no? > > Hm, not for me. But obviously my problem comes from the fact that I > know nothing about encryption, security, signatures, etc. And as a > total noob I trust binaries from "gnu.org" more than the scaring > "3D9AEBB5" thing just because I don't understand it. I see. Though be aware that DNS is easily hijacked, that =E2=80=9Cgnu.org= =E2=80=9D can be made to resolve to something else, and that gnu.org=E2=80=99s machines c= ould be compromised with an attacker changing the contents of archives therein, etc. Digital signatures are the mechanism to allow recipients to verify the authenticity and integrity of tarballs. Ludo=E2=80=99.