Menu
I have used emacs for only half a year from 23.1 to 23.3.
Every time I tried to find gpg public key for emacs so that I could check tar.gz package with tar.gz.sig released with every new version, I failed.
It seems I should fetch public key first, and I searched the website of emacs, but never found a sign...
I can only find SHA1 checksum in the mailing list http://lists.gnu.org/archive/html/info-gnu-emacs/2011-03/msg00000.html to do the integrity check
How do I do this?
245
GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate.
If you try to verify the signature using
gpg --verify <pkg>.key you'll get an output like the following:
gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115 gpg: Can't check signature: No public key The key ID you are looking for is BE216115, so you ask gpg to retrieve it using:
gpg --recv-keys BE216115 Which resulted in the following on my installation:
gpg: requesting key BE216115 from hkp server keys.gnupg.net gpg: key BE216115: public key "Francesco Potortì <[email protected]>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 6 trust: 0-, 0q, 0n, 0m, 1f, 0u gpg: depth: 2 valid: 6 signed: 1 trust: 0-, 0q, 0n, 6m, 0f, 0u gpg: Total number processed: 1 gpg: imported: 1 Now, you can verify it. But since you haven't assigned any trust to this key, the output will be:
gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115 gpg: Good signature from "Francesco Potortì <[email protected]>" gpg: aka "Francesco Potortì <[email protected]>" gpg: aka "Francesco Potortì <[email protected]>" gpg: aka "Francesco Potortì <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4B02 6187 5C03 D6B1 2E31 7666 09DF 2DC9 BE21 6115 So, you will know that the signature is valid, but you are not trusting the public key. You can trust or sign the public key using:
gpg --edit-key BE216115 In the command prompt type help to see all the available options. For further information, see Using the GNU Privacy Guard
77
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
