bug#22276: .sig

[Alex Kost]

Ludovic Courtès (2016-01-01 21:04 +0300) wrote:

> I’ve amended that section of the manual based on text from the
> announcement (see
> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
> Step 1 becomes:
>
>
>   1. Download the binary tarball from
>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>      running the kernel Linux, and so on.
>
>      Make sure to download the associated ‘.sig’ file and to verify the
>      authenticity of the tarball against it, along these lines:
>
>           $ wget 
> ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>
>      If that command fails because you don’t have the required public
>      key, then run this command to import it:
>
>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5

Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
Hm, apparently it is some key, but what key? where did it come from? is
it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
should read gpg manual to find it out… but I won't».  And then I will
not check the signature because I trust the tarball from "gnu.org" but I
don't trust a thing that I don't understand.  (I talk only for myself,
I think other people are more conscious users)

I think it will be also good to explain what "3D9AEBB5" means.

-- 
Alex