all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* gpg --verify
@ 2017-02-17 11:05 Catonano
  2017-02-17 12:45 ` Ricardo Wurmus
  0 siblings, 1 reply; 7+ messages in thread
From: Catonano @ 2017-02-17 11:05 UTC (permalink / raw)
  To: help-guix

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

In verifying the installation image, I type this line in the terminal

$ gpg --verify guixsd-usb-install-0.12.0.x86_64-linux.xz.sig

Please note that I borrowed this line from the instructions for the binary
installation, but I am using it for the GuixSD verification.

What i get is:

gpg: non ci sono dati firmati
gpg: can't hash datafile: errore durante l'apertura del file

"non ci sono dati firmati" means "there are no signed data"
"errore durante l' apertura del file" means "error during opening of the
file"

This is on Fedora 25 with an Italian locale

Of course, this is the ls of the folder I run this line into

$ ls
Fedora-Workstation-25-1.3-x86_64-CHECKSUM
Fedora-Workstation-Live-x86_64-25-1.3.iso
guixsd-usb-install-0.12.0.x86_64-linux
guixsd-usb-install-0.12.0.x86_64-linux.xz.sig

Thanks for your patience

[-- Attachment #2: Type: text/html, Size: 1075 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: gpg --verify
  2017-02-17 11:05 gpg --verify Catonano
@ 2017-02-17 12:45 ` Ricardo Wurmus
  2017-02-17 13:14   ` Catonano
  0 siblings, 1 reply; 7+ messages in thread
From: Ricardo Wurmus @ 2017-02-17 12:45 UTC (permalink / raw)
  To: Catonano; +Cc: help-guix


Catonano <catonano@gmail.com> writes:

> $ ls
> Fedora-Workstation-25-1.3-x86_64-CHECKSUM
> Fedora-Workstation-Live-x86_64-25-1.3.iso
> guixsd-usb-install-0.12.0.x86_64-linux
> guixsd-usb-install-0.12.0.x86_64-linux.xz.sig

Looks like you’ve already unpacked the xz archive.  It should work fine
before unpacking.

-- 
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: gpg --verify
  2017-02-17 12:45 ` Ricardo Wurmus
@ 2017-02-17 13:14   ` Catonano
  2017-02-17 13:14     ` Catonano
                       ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Catonano @ 2017-02-17 13:14 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: help-guix

[-- Attachment #1: Type: text/plain, Size: 1328 bytes --]

2017-02-17 13:45 GMT+01:00 Ricardo Wurmus <rekado@elephly.net>:

>
> Catonano <catonano@gmail.com> writes:
>
> > $ ls
> > Fedora-Workstation-25-1.3-x86_64-CHECKSUM
> > Fedora-Workstation-Live-x86_64-25-1.3.iso
> > guixsd-usb-install-0.12.0.x86_64-linux
> > guixsd-usb-install-0.12.0.x86_64-linux.xz.sig
>
> Looks like you’ve already unpacked the xz archive.  It should work fine
> before unpacking.
>
>

Right, sorry for the noise

So, this is it now

$ gpg --verify guixsd-usb-install-0.12.0.x86_64-linux.xz.sig
gpg: i dati sono probabilmente firmati in
"guixsd-usb-install-0.12.0.x86_64-linux.xz"
gpg: Firma eseguita in data mer 21 dic 2016 13:46:39 CET usando RSA, ID
chiave 235FACAC
gpg: lookup_hashtable failed: eof
gpg: Firma valida da "rekado <rekado@elephly.net>"
gpg: lookup_hashtable failed: eof
gpg: ATTENZIONE: questa chiave non è certificata con una firma fidata.
gpg:          Non ci sono indicazioni che la firma appartenga al
proprietario.
Impronta digitale chiave primaria: BCA6 89B6 3655 3801 C3C6  2150 197A 5888
235F ACAC

There' s a warning

data probably signed in "guixsd-usb-install-0.12.0.x86_64-linux.xz"
...
this key is not certified with a trusted signature
There are no indications that the signature actually belongs to its owner

is this good enough ?

[-- Attachment #2: Type: text/html, Size: 2055 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: gpg --verify
  2017-02-17 13:14   ` Catonano
@ 2017-02-17 13:14     ` Catonano
  2017-02-17 13:42     ` Ricardo Wurmus
  2017-02-17 14:32     ` ng0
  2 siblings, 0 replies; 7+ messages in thread
From: Catonano @ 2017-02-17 13:14 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: help-guix

[-- Attachment #1: Type: text/plain, Size: 38 bytes --]

I forgot: Rekado, thank you so much !

[-- Attachment #2: Type: text/html, Size: 102 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: gpg --verify
  2017-02-17 13:14   ` Catonano
  2017-02-17 13:14     ` Catonano
@ 2017-02-17 13:42     ` Ricardo Wurmus
  2017-02-17 14:06       ` Catonano
  2017-02-17 14:32     ` ng0
  2 siblings, 1 reply; 7+ messages in thread
From: Ricardo Wurmus @ 2017-02-17 13:42 UTC (permalink / raw)
  To: Catonano; +Cc: help-guix


Catonano <catonano@gmail.com> writes:

> There' s a warning
>
> data probably signed in "guixsd-usb-install-0.12.0.x86_64-linux.xz"
> ...
> this key is not certified with a trusted signature
> There are no indications that the signature actually belongs to its owner
>
> is this good enough ?

Yes, this sounds scary but it is expected.  With GPG you can assign a
level of trust to keys.  If there’s a signature on my key from a key
that you have marked as trusted (e.g. Ludo’s signature, and you mark
Ludo’s key as trustworthy), then the warning would change or disappear.
The warning just indicates that there is no “trust path” to my key.

If this were a forged signature you would see a scarier validation
error, not just a warning.

It’s not great UX, I agree.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: gpg --verify
  2017-02-17 13:42     ` Ricardo Wurmus
@ 2017-02-17 14:06       ` Catonano
  0 siblings, 0 replies; 7+ messages in thread
From: Catonano @ 2017-02-17 14:06 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: help-guix

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

2017-02-17 14:42 GMT+01:00 Ricardo Wurmus <rekado@elephly.net>:

>
> Yes, this sounds scary but it is expected.





> With GPG you can assign a
> level of trust to keys.  If there’s a signature on my key from a key
> that you have marked as trusted (e.g. Ludo’s signature, and you mark
> Ludo’s key as trustworthy), then the warning would change or disappear.
> The warning just indicates that there is no “trust path” to my key.
>
> If this were a forged signature you would see a scarier validation
> error, not just a warning.
>


Ok, thanks for clarifying 🙏

[-- Attachment #2: Type: text/html, Size: 1084 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: gpg --verify
  2017-02-17 13:14   ` Catonano
  2017-02-17 13:14     ` Catonano
  2017-02-17 13:42     ` Ricardo Wurmus
@ 2017-02-17 14:32     ` ng0
  2 siblings, 0 replies; 7+ messages in thread
From: ng0 @ 2017-02-17 14:32 UTC (permalink / raw)
  To: Catonano; +Cc: help-guix

On 17-02-17 14:14:03, Catonano wrote:
> 2017-02-17 13:45 GMT+01:00 Ricardo Wurmus <rekado@elephly.net>:
> 
> >
> > Catonano <catonano@gmail.com> writes:
> >
> > > $ ls
> > > Fedora-Workstation-25-1.3-x86_64-CHECKSUM
> > > Fedora-Workstation-Live-x86_64-25-1.3.iso
> > > guixsd-usb-install-0.12.0.x86_64-linux
> > > guixsd-usb-install-0.12.0.x86_64-linux.xz.sig
> >
> > Looks like you’ve already unpacked the xz archive.  It should work fine
> > before unpacking.
> >
> >
> 
> Right, sorry for the noise
> 
> So, this is it now
> 
> $ gpg --verify guixsd-usb-install-0.12.0.x86_64-linux.xz.sig
> gpg: i dati sono probabilmente firmati in
> "guixsd-usb-install-0.12.0.x86_64-linux.xz"
> gpg: Firma eseguita in data mer 21 dic 2016 13:46:39 CET usando RSA, ID
> chiave 235FACAC
> gpg: lookup_hashtable failed: eof
> gpg: Firma valida da "rekado <rekado@elephly.net>"
> gpg: lookup_hashtable failed: eof
> gpg: ATTENZIONE: questa chiave non è certificata con una firma fidata.
> gpg:          Non ci sono indicazioni che la firma appartenga al
> proprietario.
> Impronta digitale chiave primaria: BCA6 89B6 3655 3801 C3C6  2150 197A 5888
> 235F ACAC
> 
> There' s a warning
> 
> data probably signed in "guixsd-usb-install-0.12.0.x86_64-linux.xz"
> ...
> this key is not certified with a trusted signature
> There are no indications that the signature actually belongs to its owner
> 
> is this good enough ?

Yes, this is local. I'm not sure which gpg version fedora has or
whatever your settings are (please don't paste them), but this is good
enough.
Newer GnuPG has the tofu functionality you could use for example (look
for tofu in the documentation of GPG).
-- 
ng0 -- https://www.inventati.org/patternsinthechaos/

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2017-02-17 14:30 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-17 11:05 gpg --verify Catonano
2017-02-17 12:45 ` Ricardo Wurmus
2017-02-17 13:14   ` Catonano
2017-02-17 13:14     ` Catonano
2017-02-17 13:42     ` Ricardo Wurmus
2017-02-17 14:06       ` Catonano
2017-02-17 14:32     ` ng0

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.