bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22276: .sig

From: Alex Kost
Subject: bug#22276: .sig
Date: Mon, 04 Jan 2016 12:42:54 +0300
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) 
Ludovic Courtès (2016-01-03 14:10 +0300) wrote:

> Alex Kost <address@hidden> skribis:
>
>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>
>>> I’ve amended that section of the manual based on text from the
>>> announcement (see
>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>> Step 1 becomes:
>>>
>>>
>>>   1. Download the binary tarball from
>>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>>      running the kernel Linux, and so on.
>>>
>>>      Make sure to download the associated ‘.sig’ file and to verify the
>>>      authenticity of the tarball against it, along these lines:
>>>
>>>           $ wget 
>>> ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>
>>>      If that command fails because you don’t have the required public
>>>      key, then run this command to import it:
>>>
>>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>
>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>
> I would expect that the command together with the previous sentence
> suggest that 3D9AEBB5 identifies the key used to sign the package, no?

Hm, not for me.  But obviously my problem comes from the fact that I
know nothing about encryption, security, signatures, etc.  And as a
total noob I trust binaries from "gnu.org" more than the scaring
"3D9AEBB5" thing just because I don't understand it.

>> Hm, apparently it is some key, but what key? where did it come from? is
>> it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
>> should read gpg manual to find it out… but I won't».  And then I will
>> not check the signature because I trust the tarball from "gnu.org" but I
>> don't trust a thing that I don't understand.  (I talk only for myself,
>> I think other people are more conscious users)
>>
>> I think it will be also good to explain what "3D9AEBB5" means.
>
> I would prefer to refer to a more complete document such as the GNU
> Privacy Handbook, but I don’t know what its current status is:
>
>   https://www.gnupg.org/gph/en/manual.html#AEN136

Thanks for the pointer!  I hope it will clarify some things for me :-)

-- 
Alex
reply via email to
[Prev in Thread] Current Thread [Next in Thread]