bug#22276: .sig

bug#22276: .sig

[carl hansen]

[-- Attachment #1: Type: text/plain, Size: 1193 bytes --]

Manual says:
- "Download the binary tarball from ‘ftp://....’2
<http://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#FOOT2>
,Footnotes(2)
<http://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html#DOCF2>

"As usual, make sure to download the associated .sig file and to verify the
authenticity of the tarball against it!"

For those who know what you mean by that, the footnote is superfluous, for
those who don't know, it is opaque. I do the usual investigation, come up
with

gpg --verify guix-binary-0.9.0.x86_64-linux.tar.xz.sig
gpg: armor header: Version: GnuPG v2
gpg: assuming signed data in `guix-binary-0.9.0.x86_64-linux.tar.xz'
gpg: Signature made Wed 04 Nov 2015 10:23:38 AM PST using RSA key ID
3D9AEBB5
gpg: Can't check signature: public key not found

after reading the gpg man page, with its multivarous options. So now I need

"gpg --import *.asc" is how you import it into the public keyring

But now I have to find the .asc file...

**UNIX, world's largest Adventure game** as we used to say 30 years ago.

Is there some reason the actual command line to verify the sig cannot be
put into the manual?

[-- Attachment #2: Type: text/html, Size: 1432 bytes --]

bug#22276: .sig

[Ludovic Courtès]

Hi,

I’ve amended that section of the manual based on text from the
announcement (see
<https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
Step 1 becomes:

--8<---------------cut here---------------start------------->8---
  1. Download the binary tarball from
     ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
     where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
     running the kernel Linux, and so on.

     Make sure to download the associated ‘.sig’ file and to verify the
     authenticity of the tarball against it, along these lines:

          $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
          $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig

     If that command fails because you don’t have the required public
     key, then run this command to import it:

          $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5

     and rerun the ‘gpg --verify’ command.
--8<---------------cut here---------------end--------------->8---

Thanks for your feedback!

Ludo’.

bug#22276: .sig

[Alex Kost]

Ludovic Courtès (2016-01-01 21:04 +0300) wrote:

> I’ve amended that section of the manual based on text from the
> announcement (see
> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
> Step 1 becomes:
>
>
>   1. Download the binary tarball from
>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>      running the kernel Linux, and so on.
>
>      Make sure to download the associated ‘.sig’ file and to verify the
>      authenticity of the tarball against it, along these lines:
>
>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>
>      If that command fails because you don’t have the required public
>      key, then run this command to import it:
>
>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5

Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
Hm, apparently it is some key, but what key? where did it come from? is
it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
should read gpg manual to find it out… but I won't».  And then I will
not check the signature because I trust the tarball from "gnu.org" but I
don't trust a thing that I don't understand.  (I talk only for myself,
I think other people are more conscious users)

I think it will be also good to explain what "3D9AEBB5" means.

-- 
Alex

bug#22276: .sig

[Ludovic Courtès]

Alex Kost <alezost@gmail.com> skribis:

> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>
>> I’ve amended that section of the manual based on text from the
>> announcement (see
>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>> Step 1 becomes:
>>
>>
>>   1. Download the binary tarball from
>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>      running the kernel Linux, and so on.
>>
>>      Make sure to download the associated ‘.sig’ file and to verify the
>>      authenticity of the tarball against it, along these lines:
>>
>>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>
>>      If that command fails because you don’t have the required public
>>      key, then run this command to import it:
>>
>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>
> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?

I would expect that the command together with the previous sentence
suggest that 3D9AEBB5 identifies the key used to sign the package, no?

> Hm, apparently it is some key, but what key? where did it come from? is
> it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
> should read gpg manual to find it out… but I won't».  And then I will
> not check the signature because I trust the tarball from "gnu.org" but I
> don't trust a thing that I don't understand.  (I talk only for myself,
> I think other people are more conscious users)
>
> I think it will be also good to explain what "3D9AEBB5" means.

I would prefer to refer to a more complete document such as the GNU
Privacy Handbook, but I don’t know what its current status is:

  https://www.gnupg.org/gph/en/manual.html#AEN136

Ludo’.

bug#22276: .sig

[Ludovic Courtès]

Seems that the GPH repository given at
<https://www.gnupg.org/download/cvs_access.html> is now unreachable:

--8<---------------cut here---------------start------------->8---
$ cvs -z3 -d :pserver:anoncvs@cvs.gnupg.org:/cvs/gph co gph
cvs [checkout aborted]: connect to cvs.gnupg.org(217.69.76.56):2401 failed: Connection refused
--8<---------------cut here---------------end--------------->8---

Incidentally, it’s DocBook, not Texinfo, so not convenient to refer to.

We could refer to the GnuPG manual, but it’s very much a reference
manual and doesn’t introduce OpenPGP concepts.

It sounds like fixing this documentation issue is beyond the scope of
Guix; on possible fix would be to revive the GPH, possibly converting it
to Texinfo and integrating it into GnuPG itself.

Thoughts?

Ludo’.

bug#22276: .sig

[Alex Kost]

Ludovic Courtès (2016-01-03 14:10 +0300) wrote:

> Alex Kost <alezost@gmail.com> skribis:
>
>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>
>>> I’ve amended that section of the manual based on text from the
>>> announcement (see
>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>> Step 1 becomes:
>>>
>>>
>>>   1. Download the binary tarball from
>>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>>      running the kernel Linux, and so on.
>>>
>>>      Make sure to download the associated ‘.sig’ file and to verify the
>>>      authenticity of the tarball against it, along these lines:
>>>
>>>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>
>>>      If that command fails because you don’t have the required public
>>>      key, then run this command to import it:
>>>
>>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>
>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>
> I would expect that the command together with the previous sentence
> suggest that 3D9AEBB5 identifies the key used to sign the package, no?

Hm, not for me.  But obviously my problem comes from the fact that I
know nothing about encryption, security, signatures, etc.  And as a
total noob I trust binaries from "gnu.org" more than the scaring
"3D9AEBB5" thing just because I don't understand it.

>> Hm, apparently it is some key, but what key? where did it come from? is
>> it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
>> should read gpg manual to find it out… but I won't».  And then I will
>> not check the signature because I trust the tarball from "gnu.org" but I
>> don't trust a thing that I don't understand.  (I talk only for myself,
>> I think other people are more conscious users)
>>
>> I think it will be also good to explain what "3D9AEBB5" means.
>
> I would prefer to refer to a more complete document such as the GNU
> Privacy Handbook, but I don’t know what its current status is:
>
>   https://www.gnupg.org/gph/en/manual.html#AEN136

Thanks for the pointer!  I hope it will clarify some things for me :-)

-- 
Alex

bug#22276: .sig

[Alex Kost]

Ludovic Courtès (2016-01-03 14:22 +0300) wrote:

> Seems that the GPH repository given at
> <https://www.gnupg.org/download/cvs_access.html> is now unreachable:
>
> $ cvs -z3 -d :pserver:anoncvs@cvs.gnupg.org:/cvs/gph co gph
> cvs [checkout aborted]: connect to cvs.gnupg.org(217.69.76.56):2401 failed: Connection refused
>
> Incidentally, it’s DocBook, not Texinfo, so not convenient to refer to.
>
> We could refer to the GnuPG manual, but it’s very much a reference
> manual and doesn’t introduce OpenPGP concepts.

Yes, I think a reference to the gpg manual wouldn't help (I didn't find
an answer to my question there)

> It sounds like fixing this documentation issue is beyond the scope of
> Guix;

I agree.

> on possible fix would be to revive the GPH, possibly converting it
> to Texinfo and integrating it into GnuPG itself.

It would be great, but I'm not a volunteer :-)

-- 
Alex

bug#22276: .sig

[Ludovic Courtès]

Alex Kost <alezost@gmail.com> skribis:

> Ludovic Courtès (2016-01-03 14:10 +0300) wrote:
>
>> Alex Kost <alezost@gmail.com> skribis:
>>
>>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>>
>>>> I’ve amended that section of the manual based on text from the
>>>> announcement (see
>>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>>> Step 1 becomes:
>>>>
>>>>
>>>>   1. Download the binary tarball from
>>>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>>>      running the kernel Linux, and so on.
>>>>
>>>>      Make sure to download the associated ‘.sig’ file and to verify the
>>>>      authenticity of the tarball against it, along these lines:
>>>>
>>>>           $ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>>
>>>>      If that command fails because you don’t have the required public
>>>>      key, then run this command to import it:
>>>>
>>>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>>
>>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>>
>> I would expect that the command together with the previous sentence
>> suggest that 3D9AEBB5 identifies the key used to sign the package, no?
>
> Hm, not for me.  But obviously my problem comes from the fact that I
> know nothing about encryption, security, signatures, etc.  And as a
> total noob I trust binaries from "gnu.org" more than the scaring
> "3D9AEBB5" thing just because I don't understand it.

I see.  Though be aware that DNS is easily hijacked, that “gnu.org” can
be made to resolve to something else, and that gnu.org’s machines could
be compromised with an attacker changing the contents of archives
therein, etc.

Digital signatures are the mechanism to allow recipients to verify the
authenticity and integrity of tarballs.

Ludo’.