Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
458 views
in Technique[技术] by (71.8m points)

gnupg - where can I find the public key for Gnu Emacs?

I have used emacs for only half a year from 23.1 to 23.3.

Every time I tried to find gpg public key for emacs so that I could check tar.gz package with tar.gz.sig released with every new version. It turned out I failed every time :-].

It seems I should fetch public key first, and I searched the website of emacs, but never found a sign...

I can only find SHA1 checksum in the mailing list http://lists.gnu.org/archive/html/info-gnu-emacs/2011-03/msg00000.html to do the integrity check

I am not doubt the security of FSF, by the way. just curious...never use gpg before...

Can you give me a link?

Thanks

question from:https://stackoverflow.com/questions/5701388/where-can-i-find-the-public-key-for-gnu-emacs

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

If you try to verify the signature using

gpg --verify <pkg>.key

you'll get an output like the following:

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Can't check signature: No public key

The key ID you are looking for is BE216115, so you ask gpg to retrieve it using:

gpg --recv-keys BE216115

Which resulted in the following on my installation:

gpg: requesting key BE216115 from hkp server keys.gnupg.net
gpg: key BE216115: public key "Francesco Potortì <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: depth: 2  valid:   6  signed:   1  trust: 0-, 0q, 0n, 6m, 0f, 0u
gpg: Total number processed: 1
gpg:               imported: 1

Now, you can verify it. But since you haven't assigned any trust to this key, the output will be:

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Good signature from "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4B02 6187 5C03 D6B1 2E31  7666 09DF 2DC9 BE21 6115

So, you will know that the signature is valid, but you are not trusting the public key. You can trust or sign the public key using:

gpg --edit-key BE216115

In the command prompt type help to see all the available options. For further information, see Using the GNU Privacy Guard


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...