From mboxrd@z Thu Jan  1 00:00:00 1970
From: ng0 <contact.ng0@cryptolab.net>
Subject: Re: gpg --verify
Date: Fri, 17 Feb 2017 14:32:33 +0000
Message-ID: <20170217143233.g5vrkmxjfvhpryfs@wasp>
References: <CAJ98PDwY9=BQRpgtJgrCsyWbbWCmSu3eNJ+AP3=4dVsuPg6LSA@mail.gmail.com>
	<87r32x7zpl.fsf@elephly.net>
	<CAJ98PDz_rtZOZX1fo2QBEAfB5X-2o=JDQwg_fFCZnkhqow9g6w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50934)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <contact.ng0@cryptolab.net>) id 1cejYZ-00076t-UP
	for help-guix@gnu.org; Fri, 17 Feb 2017 09:30:45 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <contact.ng0@cryptolab.net>) id 1cejYW-000292-Od
	for help-guix@gnu.org; Fri, 17 Feb 2017 09:30:43 -0500
Received: from latitanza.investici.org ([2001:888:2000:56::19]:48654)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <contact.ng0@cryptolab.net>)
	id 1cejYW-00026r-FM
	for help-guix@gnu.org; Fri, 17 Feb 2017 09:30:40 -0500
Content-Disposition: inline
In-Reply-To: <CAJ98PDz_rtZOZX1fo2QBEAfB5X-2o=JDQwg_fFCZnkhqow9g6w@mail.gmail.com>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Catonano <catonano@gmail.com>
Cc: help-guix <help-guix@gnu.org>

On 17-02-17 14:14:03, Catonano wrote:
> 2017-02-17 13:45 GMT+01:00 Ricardo Wurmus <rekado@elephly.net>:
>=20
> >
> > Catonano <catonano@gmail.com> writes:
> >
> > > $ ls
> > > Fedora-Workstation-25-1.3-x86_64-CHECKSUM
> > > Fedora-Workstation-Live-x86_64-25-1.3.iso
> > > guixsd-usb-install-0.12.0.x86_64-linux
> > > guixsd-usb-install-0.12.0.x86_64-linux.xz.sig
> >
> > Looks like you=E2=80=99ve already unpacked the xz archive.  It should=
 work fine
> > before unpacking.
> >
> >
>=20
> Right, sorry for the noise
>=20
> So, this is it now
>=20
> $ gpg --verify guixsd-usb-install-0.12.0.x86_64-linux.xz.sig
> gpg: i dati sono probabilmente firmati in
> "guixsd-usb-install-0.12.0.x86_64-linux.xz"
> gpg: Firma eseguita in data mer 21 dic 2016 13:46:39 CET usando RSA, ID
> chiave 235FACAC
> gpg: lookup_hashtable failed: eof
> gpg: Firma valida da "rekado <rekado@elephly.net>"
> gpg: lookup_hashtable failed: eof
> gpg: ATTENZIONE: questa chiave non =C3=A8 certificata con una firma fid=
ata.
> gpg:          Non ci sono indicazioni che la firma appartenga al
> proprietario.
> Impronta digitale chiave primaria: BCA6 89B6 3655 3801 C3C6  2150 197A =
5888
> 235F ACAC
>=20
> There' s a warning
>=20
> data probably signed in "guixsd-usb-install-0.12.0.x86_64-linux.xz"
> ...
> this key is not certified with a trusted signature
> There are no indications that the signature actually belongs to its own=
er
>=20
> is this good enough ?

Yes, this is local. I'm not sure which gpg version fedora has or
whatever your settings are (please don't paste them), but this is good
enough.
Newer GnuPG has the tofu functionality you could use for example (look
for tofu in the documentation of GPG).
--=20
ng0 -- https://www.inventati.org/patternsinthechaos/