Re: Verifying sig for gnu parallel

[Ole Tange]

On Tue, May 14, 2013 at 12:55 AM, Shahar Roth <rothshahar@yahoo.com> wrote:

> Hi Ole,

Please use parallel@gnu.org for support (unless you want to hire me).

> First, let me thank you for creating parallel. It's awesome :-)

Thank you. If you like GNU Parallel:

* Give a demo at your local user group/team/colleagues
* Post the intro videos on Reddit/Diaspora*/forums/blogs/
Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists
* Request or write a review for your favourite blog or magazine
* Request or build a package for your favourite distribution (if it is
not already there)
* Invite me for your next conference

If you use GNU Parallel for research:

* Please cite GNU Parallel in you publications (use --bibtex)

If GNU Parallel saves you money:

* (Have your company) donate to FSF https://my.fsf.org/donate/

> I hope you can help me out with this question-
> I'm trying to download the latest version and I'd like to verify the
> signature. I couldn't find explicit instructions how to do that on the gnu
> parallel site.
> A search led me to an email thread where you linked to your public keys but
> I get this when I try to add your key to a ring:
>
> $ gpg --no-default-keyring --keyring vendors.gpg  --import key
> gpg: key FFFFFFF1: public key "Ole Tange <ole@tange.dk>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1

This looks fine. You should be able to do:

$ echo | gpg # To initialize
$ gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve parallel-*.tar.bz2.sig

gpg: Signature made Tue 14 May 2013 09:11:53 AM CEST using DSA key ID FFFFFFF1
gpg: requesting key FFFFFFF1 from hkp server keys.gnupg.net
gpg: /home/parallel/.gnupg/trustdb.gpg: trustdb created
gpg: key FFFFFFF1: public key "Ole Tange <ole@tange.dk>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Ole Tange <ole@tange.dk>"
gpg:                 aka "[jpeg image of size 4006]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE9C B493 81DE 3166 A3BC  66C1 2C62 29E2 FFFF FFF1

> gpg: public key of ultimately trusted key C29EEC93 not found
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
>
> What is C29EEC93?

This I do not know. A key with ultimate trust soulds like your own.
Could it be that you have created a key, trusted it, and then removed
the key again?

> Could be helpful if the site contained easy to follow
> instructions for verification.

That is not a bad idea. I have put:

  To check the signature run:
    echo | gpg
    gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve parallel-*.tar.bz2.sig

in the .sig file on ftp://alpha.gnu.org/gnu/parallel/ Please test that.

> Thanks,
> -Shahar

/Ole