LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Basic installations procedures question, package verification *.asc (http://www.linuxquestions.org/questions/slackware-14/basic-installations-procedures-question-package-verification-%2A-asc-4175463817/)

PeterUK 05-28-2013 03:05 PM

Basic installations procedures question, package verification *.asc
 
I am crying to start using .asc file to the integrity of packages, I know I should have been doing it already, but the true I am not sure how.

I did look a bit in google and slack docs.

I find a way to do it with the "KEY" by:
download the key and saving it as gpg-key

then run
Code:

gpg --import gpg-key
gave a message I have imported the key

gpg --verify file.asc

and it give

Code:

gpg: Signature made Wed 13 Mar 2013 03:39:36 PM GMT using DSA key ID 98C3739D
gpg: Good signature from "Vincent Lefevre <vincent@vinc17.net>"
gpg:                aka "Vincent Lefèvre <vincent@vinc17.net>"
gpg:                aka "Vincent Lefevre <vincent@vinc17.org>"
gpg:                aka "Vincent Lefèvre <vincent@vinc17.org>"
gpg:                aka "Vincent Lefevre <Vincent.Lefevre@inria.fr>"
gpg:                aka "Vincent Lefèvre <Vincent.Lefevre@inria.fr>"
gpg:                aka "Vincent Lefevre <Vincent.Lefevre@ens-lyon.fr>"
gpg:                aka "Vincent Lefèvre <Vincent.Lefevre@ens-lyon.fr>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 07F3 DBBE CC1A 3960 5078  094D 980C 1976 98C3 739D

I've got this from here, which mprf package.

But I still dont know how to do it with the slackbuilds as if I do:
(I have used avrdude as an example here)
Code:

bash-4.2# gpg --verify avrdude.tar.gz.asc
gpg: Signature made Tue 02 Oct 2012 05:28:51 PM BST using DSA key ID 9C7BA3B6
gpg: Can't check signature: public key not found

But in slackbuilds there is not key, right?

How do you do with the slackbuilds I guest it have to with the number net to the package in the source, right?

I also tried from thatpage in mprf like:

Code:

gpg --recv-keys 98C3739D
as it said there but it give:
Code:

gpg: no keyserver known (use option --keyserver)
gpg: keyserver receive failed: bad URI

Also I have to compare the fingerprint by comparison from the website its it possible automatically?

UPDATE:

I also try "-- Import file.asc" as I found in a post:
I get:
Quote:

bash-4.2# gpg --import avrdude.tar.gz.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

ruario 05-28-2013 03:25 PM

http://slackbuilds.org/faq/#gpg

gegechris99 05-28-2013 03:30 PM

Quote:

Originally Posted by PeterUK (Post 4960804)
But I still dont know how to do it with the slackbuilds as if I do:
(I have used avrdude as an example here)
Code:

bash-4.2# gpg --verify avrdude.tar.gz.asc
gpg: Signature made Tue 02 Oct 2012 05:28:51 PM BST using DSA key ID 9C7BA3B6
gpg: Can't check signature: public key not found

But in slackbuilds there is not key, right?

There is a public key for verifying SlackBuild scripts from slackbuilds.org. Look at the FAQ #4.

Direct link to the public key can be found here.

Import the key in your key ring and run again the verify command for your SlackBuild script and you'll see something like that:

Code:

$ gpg --verify avrdude.tar.gz.asc
gpg: Signature faite le mar. 02 oct. 2012 18:28:51 CEST avec la clé DSA ID 9C7BA3B6
gpg: Bonne signature de « SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org> »


PeterUK 05-28-2013 07:51 PM

Quote:

Originally Posted by gegechris99 (Post 4960816)
There is a public key for verifying SlackBuild scripts from slackbuilds.org. Look at the FAQ #4.

Direct link to the public key can be found here.

Import the key in your key ring and run again the verify command for your SlackBuild script and you'll see something like that:

Code:

$ gpg --verify avrdude.tar.gz.asc
gpg: Signature faite le mar. 02 oct. 2012 18:28:51 CEST avec la clé DSA ID 9C7BA3B6
gpg: Bonne signature de « SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org> »


Thanks I think I was missing that key.

But I get this reply:

Code:

gpg: Signature made Tue 02 Oct 2012 05:28:51 PM BST using DSA key ID 9C7BA3B6
gpg: Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D307 6BC3 E783 EE74 7F09  B8B7 0368 EF57 9C7B A3B6


ruario 05-29-2013 02:24 AM

Quote:

Originally Posted by PeterUK (Post 4960935)
Thanks I think I was missing that key.

Yeah, that was my point. Sorry if it was vague.

Quote:

But I get this reply:

Code:

gpg: Signature made Tue 02 Oct 2012 05:28:51 PM BST using DSA key ID 9C7BA3B6
gpg: Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D307 6BC3 E783 EE74 7F09  B8B7 0368 EF57 9C7B A3B6


This looks as expected. Notice the "Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"" part. If you would have told GPG to trust the key, you wouldn't get the warning.

ruario 05-29-2013 02:26 AM

Making the key trusted does not make sense unless you received the key directly from one of the developers in person, or someone else who you can trust has done so and can confirm it is the real key.

PeterUK 05-29-2013 06:28 PM

Quote:

Originally Posted by gegechris99 (Post 4960816)
There is a public key for verifying SlackBuild scripts from slackbuilds.org. Look at the FAQ #4.

Direct link to the public key can be found here.

Import the key in your key ring and run again the verify command for your SlackBuild script and you'll see something like that:

Code:

$ gpg --verify avrdude.tar.gz.asc
gpg: Signature faite le mar. 02 oct. 2012 18:28:51 CEST avec la clé DSA ID 9C7BA3B6
gpg: Bonne signature de « SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org> »


How can you make the key thrust? so don't get warning? Thanks

willysr 05-29-2013 06:39 PM

Code:

gpg --edit-key slackbuilds
trust


GazL 05-30-2013 06:36 AM

Alternatively, you can use --lsign-key to sign a key that you trust, but this will require you to have already created a key-pair of your own.


All times are GMT -5. The time now is 05:42 PM.