LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-11-2010, 05:32 AM   #1
Kilam orez
Member
 
Registered: Aug 2009
Location: India
Distribution: open suse, fedora
Posts: 33

Rep: Reputation: 15
Question what is public key and how to use it ?


hi everybody,

i want to install gfortran compiler,for that i downloaded two files.

1) gcc-fortran-4.3.3.tar.gz
2) gcc-fortran-4.3.3.tar.gz.sig

i used the gpg command as >

/Desktop> gpg --verify gcc-fortran-4.3.3.tar.gz.sig gcc-fortran-4.3.3.tar.gz
gpg: Signature made Sat 24 Jan 2009 07:03:07 PM IST using RSA key ID FC26A641
gpg: Can't check signature: No public key

1)i don't know what is public key?

2)why do we need it?

3)how can i get this public key and then install gfortran?


with due regards,
Kilam
 
Old 01-11-2010, 05:41 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Purely in the context of GPG, and not other uses of public key cryptography:

1) it's a metaphorical "key" that you'd obtain from the publisher which identifies their signature.

2) to verify that the file you have is as the author released it. if someone modifed the main file, then the signature check would fail.

3) here I think. http://mirror.anl.gov/pub/gnu/gnu-keyring.gpg but maybe I'm trying to trick you and give you a fake key... who do you trust??

In general though i'd wonder why you're trying to install from source code this in the first place from the questions you're asking. Is there not a prebuilt RPM / DEB / PKG / Something else that you could drop in much easier?
 
1 members found this post helpful.
Old 01-11-2010, 09:59 AM   #3
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, Ubuntu, Amazon Linux
Posts: 1,830
Blog Entries: 21

Rep: Reputation: 119Reputation: 119
As long as the source code has not been modified by anyone, you should be able to (build and) install the package, anyway.

The key verification is to check that no one modified the package since the author signed it. This signing happens by taking a cryptographically string hash of the original file package, and encrypting that hash using the author's private key. The public key can decrypt it only if the private key encrypted it (it's a "key pair" system).

Someone might try to trick you by modifying the package. Verification would fail because the hash you make during verification won't be the same (because this is a hash of modified data) as the one created by the original author. If the trickster re-signed the package, then the hash would match, but he would be identified differently via a different public key. If you have the public key of the real author, that one won't work if the trickster re-signed the package. As long as the trickster cannot trick you into using his public key as the author's public key (this is where the trust matter comes into play ... you have to trust that you have the real author's real public key), you can determine if the software you have is genuine or not.

This does not exclude people making improvements to packages. If I wanted to improve a package someone else wrote and signed, I would include their original package unchanged, plus my patches and other changes, package that all together, and sign it myself. You would then verify that I provided the outer package, and also verify that the inner package I included is an exact unchanged copy of what the original author write. If you have my public key then you can know I'm the one who wrote the patches and repackaged it.
 
1 members found this post helpful.
Old 01-13-2010, 01:44 AM   #4
Kilam orez
Member
 
Registered: Aug 2009
Location: India
Distribution: open suse, fedora
Posts: 33

Original Poster
Rep: Reputation: 15
Lightbulb

Quote:
Originally Posted by acid_kewpie View Post
Purely in the context of GPG, and not other uses of public key cryptography:

1) it's a metaphorical "key" that you'd obtain from the publisher which identifies their signature.

2) to verify that the file you have is as the author released it. if someone modifed the main file, then the signature check would fail.

3) here I think. http://mirror.anl.gov/pub/gnu/gnu-keyring.gpg but maybe I'm trying to trick you and give you a fake key... who do you trust??

In general though i'd wonder why you're trying to install from source code this in the first place from the questions you're asking. Is there not a prebuilt RPM / DEB / PKG / Something else that you could drop in much easier?
hi acid_kewpie,

actually i have installed SLED-11(suse linux enterprise-11)operating system.

and it doesn't contain gfortran compiler and i need it.
for that i downloaded gfortran psckage form following: ftp://ftp.gnu.org/gnu/gcc/

but that contains a .sig file also. and i don't know what to do with that?

so to get away from .sig file, i downloaded a rpm package from http://rpm.pbone.net/index.php3/stat...c12.x86_64.rpm

but it gives errors

~/Desktop> rpm -ivh gcc-gfortran-4.4.2-14.fc12.x86_64.rpm
warning: gcc-gfortran-4.4.2-14.fc12.x86_64.rpm: Header V3 RSA/SHA256 signature: NOKEY, key ID 57bbccba
error: Failed dependencies:
gcc = 4.4.2-14.fc12 is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
libc.so.6(GLIBC_2.11)(64bit) is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
libgfortran = 4.4.2-14.fc12 is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
libgfortran.so.3()(64bit) is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
rpmlib(FileDigests) <= 4.6.0-1 is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
rpmlib(PayloadIsXz) <= 5.2-1 is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
.

can anyone help me how can i install gfortran?

My operating system is SLED 11, should i use gfortran provided by suse site or can i use gfortran provided by other sites like from fedora sites?

thank you very much

kilam orez

Last edited by Kilam orez; 01-13-2010 at 01:45 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Public key, private key explained calande Linux - Security 3 06-12-2008 06:23 AM
Revoking GPG key with only passphrase and public key djib Linux - Security 2 03-13-2007 04:20 AM
GPG Data, Secret Key but no Public Key? Aeiri Linux - Software 5 07-20-2004 07:00 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 08:25 AM


All times are GMT -5. The time now is 11:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration