From: Leo Famulari <leo@famulari.name>
To: Andy Patterson <ajpatter@uwaterloo.ca>
Cc: 29540@debbugs.gnu.org
Subject: [bug#29540] [PATCH] gnu: spice: Update to 0.14.0.
Date: Sat, 2 Dec 2017 19:41:23 -0500 [thread overview]
Message-ID: <20171203004123.GB353@jasmine.lan> (raw)
In-Reply-To: <20171202172327.0db2d98b@uwaterloo.ca>
[-- Attachment #1: Type: text/plain, Size: 2030 bytes --]
On Sat, Dec 02, 2017 at 05:23:27PM -0500, Andy Patterson wrote:
> I downloaded the sources over https, but I didn't verify them against
> the signature provided, since I couldn't figure out where to download
> the keys from. Tips on how to find keys in general would be appreciated.
"How to use GnuPG" is probably best left to the experts:
https://gnupg.org/documentation/guides.html
But here's how I would acquire this key and verify the signature. Note
that the crucial identifier, the key fingerprint, is provided in the
error message of the first command.
------
$ gpg --verify spice-0.14.0.tar.bz2.sign
gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
gpg: using RSA key 94A9F75661F77A6168649B23A9D8C21429AC6C82
gpg: Can't check signature: No public key
$ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 94A9F75661F77A6168649B23A9D8C21429AC6C82
$ gpg --verify spice-0.14.0.tar.bz2.sign
gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
gpg: using RSA key 94A9F75661F77A6168649B23A9D8C21429AC6C82
gpg: Good signature from "Christophe Fergeau (teuf) <christophe@fergeau.eu>" [unknown]
gpg: aka "Christophe Fergeau <teuf@gnome.org>" [unknown]
gpg: aka "Christophe Fergeau <cfergeau@gmail.com>" [unknown]
gpg: aka "Christophe Fergeau <cfergeau@redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 94A9 F756 61F7 7A61 6864 9B23 A9D8 C214 29AC 6C82
------
We can be reasonably sure that someone with that private key signed the
tarball. Now, is it the right key? Hopefully the upstream documentation
says which keys are considered "authorized" to sign Spice releases.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-12-03 0:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-02 22:23 [bug#29540] [PATCH] gnu: spice: Update to 0.14.0 Andy Patterson
2017-12-03 0:41 ` Leo Famulari [this message]
2017-12-03 5:41 ` Andy Patterson
2017-12-03 22:45 ` Ricardo Wurmus
2017-12-04 18:10 ` Leo Famulari
2017-12-04 19:06 ` bug#29540: " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171203004123.GB353@jasmine.lan \
--to=leo@famulari.name \
--cc=29540@debbugs.gnu.org \
--cc=ajpatter@uwaterloo.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).