bug#22276: .sig

[Ludovic Courtès]

Alex Kost <address@hidden> skribis:

> Ludovic Courtès (2016-01-03 14:10 +0300) wrote:
>
>> Alex Kost <address@hidden> skribis:
>>
>>> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>>>
>>>> I’ve amended that section of the manual based on text from the
>>>> announcement (see
>>>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>>>> Step 1 becomes:
>>>>
>>>>
>>>>   1. Download the binary tarball from
>>>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>>>      running the kernel Linux, and so on.
>>>>
>>>>      Make sure to download the associated ‘.sig’ file and to verify the
>>>>      authenticity of the tarball against it, along these lines:
>>>>
>>>>           $ wget 
>>>> ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>>>
>>>>      If that command fails because you don’t have the required public
>>>>      key, then run this command to import it:
>>>>
>>>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>>>
>>> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
>>
>> I would expect that the command together with the previous sentence
>> suggest that 3D9AEBB5 identifies the key used to sign the package, no?
>
> Hm, not for me.  But obviously my problem comes from the fact that I
> know nothing about encryption, security, signatures, etc.  And as a
> total noob I trust binaries from "gnu.org" more than the scaring
> "3D9AEBB5" thing just because I don't understand it.

I see.  Though be aware that DNS is easily hijacked, that “gnu.org” can
be made to resolve to something else, and that gnu.org’s machines could
be compromised with an attacker changing the contents of archives
therein, etc.

Digital signatures are the mechanism to allow recipients to verify the
authenticity and integrity of tarballs.

Ludo’.