From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42953)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eLIMA-0000rg-Gh
	for guix-patches@gnu.org; Sat, 02 Dec 2017 19:42:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eLIM6-0001px-8l
	for guix-patches@gnu.org; Sat, 02 Dec 2017 19:42:06 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:33626)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1eLIM6-0001ps-3w
	for guix-patches@gnu.org; Sat, 02 Dec 2017 19:42:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eLIM5-00007G-P9
	for guix-patches@gnu.org; Sat, 02 Dec 2017 19:42:01 -0500
Subject: [bug#29540] [PATCH] gnu: spice: Update to 0.14.0.
Resent-Message-ID: <handler.29540.B29540.1512261686406@debbugs.gnu.org>
Date: Sat, 2 Dec 2017 19:41:23 -0500
From: Leo Famulari <leo@famulari.name>
Message-ID: <20171203004123.GB353@jasmine.lan>
References: <20171202172327.0db2d98b@uwaterloo.ca>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="i7F3eY7HS/tUJxUd"
Content-Disposition: inline
In-Reply-To: <20171202172327.0db2d98b@uwaterloo.ca>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Andy Patterson <ajpatter@uwaterloo.ca>
Cc: 29540@debbugs.gnu.org


--i7F3eY7HS/tUJxUd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Dec 02, 2017 at 05:23:27PM -0500, Andy Patterson wrote:
> I downloaded the sources over https, but I didn't verify them against
> the signature provided, since I couldn't figure out where to download
> the keys from. Tips on how to find keys in general would be appreciated.

"How to use GnuPG" is probably best left to the experts:

https://gnupg.org/documentation/guides.html

But here's how I would acquire this key and verify the signature. Note
that the crucial identifier, the key fingerprint, is provided in the
error message of the first command.

------
$ gpg --verify spice-0.14.0.tar.bz2.sign                  =20
gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
gpg:                using RSA key 94A9F75661F77A6168649B23A9D8C21429AC6C82
gpg: Can't check signature: No public key

$ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 94A9F75661F77A=
6168649B23A9D8C21429AC6C82

$ gpg --verify spice-0.14.0.tar.bz2.sign                                   =
                         =20
gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
gpg:                using RSA key 94A9F75661F77A6168649B23A9D8C21429AC6C82
gpg: Good signature from "Christophe Fergeau (teuf) <christophe@fergeau.eu>=
" [unknown]
gpg:                 aka "Christophe Fergeau <teuf@gnome.org>" [unknown]
gpg:                 aka "Christophe Fergeau <cfergeau@gmail.com>" [unknown]
gpg:                 aka "Christophe Fergeau <cfergeau@redhat.com>" [unknow=
n]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owne=
r.
Primary key fingerprint: 94A9 F756 61F7 7A61 6864  9B23 A9D8 C214 29AC 6C82
------

We can be reasonably sure that someone with that private key signed the
tarball. Now, is it the right key? Hopefully the upstream documentation
says which keys are considered "authorized" to sign Spice releases.

--i7F3eY7HS/tUJxUd
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlojSDMACgkQJkb6MLrK
fwgVjg/6AxRmF8Im/FQ/loZrtlFzGhzXuj2O+pDNhWWWLnUqsBDqDrkbfIdOai3W
SLGQxD+x3FnoP/fflHJ0HaMo5JGsBHF5PM18IJkqmB4Scf/S4x5HuuNgxZRPTZDM
ljqIhSuw1VFjNJfurcdE+550+plZkRp+Aj1LeRA+CUH4zJBf3NfX5cQ2elO0SJrr
oOB4V+R8nIUCtLrlj6Me+9CFJatEvGBepohtBh5iTmkXlPErpFa9upEiPusWO1iH
XyTDfrRRxfitKIArRbZq9sYviPtxJrZ6EEIUmmYHSvTmILLI8KIj+dnT5dmEw8aa
iyjiwCbz38ZaXQSeZBF0Y3r9/TsSnUvKYH/ojGvbzA/LEc1ZcWN4n3lq+ZjVTawX
PPtXmeMKupEpUWxf6ky7Nf2Z3iQ7iCunqBiVC0Ve1GZZxi0GABWFWjgZb/oxoxcd
e6Dq8Q2WMz83m0OZtin/mNuDrKtTVDqLdJcWH+cO5qZdzbI+cHgMDU7Emtm+RFS6
RDjW0OH/B6LIdCoZzwVrvfzgJutAaC9KFu33iXkIJEM8qlUoj6Q3NvZOyqcWbZR2
m07y+/JpKUJJJ71Ao6sVh3X+REhA7IsuYi1OS5wDVWiYpcphltXuKot/OrMyzZVB
zBEpDLlq2BFMtVw9JQK7lHoikbH3MjervwdNagsdsQ+unLry7Tc=
=h8/E
-----END PGP SIGNATURE-----

--i7F3eY7HS/tUJxUd--