LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 05-28-2013, 03:05 PM   #1
PeterUK
Member
 
Registered: May 2009
Posts: 277

Rep: Reputation: 16
Basic installations procedures question, package verification *.asc


I am crying to start using .asc file to the integrity of packages, I know I should have been doing it already, but the true I am not sure how.

I did look a bit in google and slack docs.

I find a way to do it with the "KEY" by:
download the key and saving it as gpg-key

then run
Code:
gpg --import gpg-key
gave a message I have imported the key

gpg --verify file.asc

and it give

Code:
gpg: Signature made Wed 13 Mar 2013 03:39:36 PM GMT using DSA key ID 98C3739D
gpg: Good signature from "Vincent Lefevre <vincent@vinc17.net>"
gpg:                 aka "Vincent Lefèvre <vincent@vinc17.net>"
gpg:                 aka "Vincent Lefevre <vincent@vinc17.org>"
gpg:                 aka "Vincent Lefèvre <vincent@vinc17.org>"
gpg:                 aka "Vincent Lefevre <Vincent.Lefevre@inria.fr>"
gpg:                 aka "Vincent Lefèvre <Vincent.Lefevre@inria.fr>"
gpg:                 aka "Vincent Lefevre <Vincent.Lefevre@ens-lyon.fr>"
gpg:                 aka "Vincent Lefèvre <Vincent.Lefevre@ens-lyon.fr>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 07F3 DBBE CC1A 3960 5078  094D 980C 1976 98C3 739D
I've got this from here, which mprf package.

But I still dont know how to do it with the slackbuilds as if I do:
(I have used avrdude as an example here)
Code:
bash-4.2# gpg --verify avrdude.tar.gz.asc
gpg: Signature made Tue 02 Oct 2012 05:28:51 PM BST using DSA key ID 9C7BA3B6
gpg: Can't check signature: public key not found
But in slackbuilds there is not key, right?

How do you do with the slackbuilds I guest it have to with the number net to the package in the source, right?

I also tried from thatpage in mprf like:

Code:
gpg --recv-keys 98C3739D
as it said there but it give:
Code:
gpg: no keyserver known (use option --keyserver)
gpg: keyserver receive failed: bad URI
Also I have to compare the fingerprint by comparison from the website its it possible automatically?

UPDATE:

I also try "-- Import file.asc" as I found in a post:
I get:
Quote:
bash-4.2# gpg --import avrdude.tar.gz.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Last edited by PeterUK; 05-28-2013 at 03:11 PM.
 
Old 05-28-2013, 03:25 PM   #2
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 1,806

Rep: Reputation: 810Reputation: 810Reputation: 810Reputation: 810Reputation: 810Reputation: 810Reputation: 810
http://slackbuilds.org/faq/#gpg
 
Old 05-28-2013, 03:30 PM   #3
gegechris99
Member
 
Registered: Oct 2005
Location: France
Distribution: Slackware 14.1 32bit
Posts: 719
Blog Entries: 3

Rep: Reputation: 76
Quote:
Originally Posted by PeterUK View Post
But I still dont know how to do it with the slackbuilds as if I do:
(I have used avrdude as an example here)
Code:
bash-4.2# gpg --verify avrdude.tar.gz.asc
gpg: Signature made Tue 02 Oct 2012 05:28:51 PM BST using DSA key ID 9C7BA3B6
gpg: Can't check signature: public key not found
But in slackbuilds there is not key, right?
There is a public key for verifying SlackBuild scripts from slackbuilds.org. Look at the FAQ #4.

Direct link to the public key can be found here.

Import the key in your key ring and run again the verify command for your SlackBuild script and you'll see something like that:

Code:
$ gpg --verify avrdude.tar.gz.asc 
gpg: Signature faite le mar. 02 oct. 2012 18:28:51 CEST avec la clé DSA ID 9C7BA3B6
gpg: Bonne signature de « SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org> »
 
Old 05-28-2013, 07:51 PM   #4
PeterUK
Member
 
Registered: May 2009
Posts: 277

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by gegechris99 View Post
There is a public key for verifying SlackBuild scripts from slackbuilds.org. Look at the FAQ #4.

Direct link to the public key can be found here.

Import the key in your key ring and run again the verify command for your SlackBuild script and you'll see something like that:

Code:
$ gpg --verify avrdude.tar.gz.asc 
gpg: Signature faite le mar. 02 oct. 2012 18:28:51 CEST avec la clé DSA ID 9C7BA3B6
gpg: Bonne signature de « SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org> »
Thanks I think I was missing that key.

But I get this reply:

Code:
gpg: Signature made Tue 02 Oct 2012 05:28:51 PM BST using DSA key ID 9C7BA3B6
gpg: Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D307 6BC3 E783 EE74 7F09  B8B7 0368 EF57 9C7B A3B6
 
Old 05-29-2013, 02:24 AM   #5
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 1,806

Rep: Reputation: 810Reputation: 810Reputation: 810Reputation: 810Reputation: 810Reputation: 810Reputation: 810
Quote:
Originally Posted by PeterUK View Post
Thanks I think I was missing that key.
Yeah, that was my point. Sorry if it was vague.

Quote:
But I get this reply:

Code:
gpg: Signature made Tue 02 Oct 2012 05:28:51 PM BST using DSA key ID 9C7BA3B6
gpg: Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D307 6BC3 E783 EE74 7F09  B8B7 0368 EF57 9C7B A3B6
This looks as expected. Notice the "Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"" part. If you would have told GPG to trust the key, you wouldn't get the warning.
 
Old 05-29-2013, 02:26 AM   #6
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 1,806

Rep: Reputation: 810Reputation: 810Reputation: 810Reputation: 810Reputation: 810Reputation: 810Reputation: 810
Making the key trusted does not make sense unless you received the key directly from one of the developers in person, or someone else who you can trust has done so and can confirm it is the real key.
 
Old 05-29-2013, 06:28 PM   #7
PeterUK
Member
 
Registered: May 2009
Posts: 277

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by gegechris99 View Post
There is a public key for verifying SlackBuild scripts from slackbuilds.org. Look at the FAQ #4.

Direct link to the public key can be found here.

Import the key in your key ring and run again the verify command for your SlackBuild script and you'll see something like that:

Code:
$ gpg --verify avrdude.tar.gz.asc 
gpg: Signature faite le mar. 02 oct. 2012 18:28:51 CEST avec la clé DSA ID 9C7BA3B6
gpg: Bonne signature de « SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org> »
How can you make the key thrust? so don't get warning? Thanks
 
Old 05-29-2013, 06:39 PM   #8
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 2,520

Rep: Reputation: 407Reputation: 407Reputation: 407Reputation: 407Reputation: 407
Code:
gpg --edit-key slackbuilds
trust
 
Old 05-30-2013, 06:36 AM   #9
GazL
Senior Member
 
Registered: May 2008
Posts: 3,330

Rep: Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884
Alternatively, you can use --lsign-key to sign a key that you trust, but this will require you to have already created a key-pair of your own.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Quick question - PGP checksums? *.asc Ranguvar Linux - General 4 11-19-2008 02:21 PM
Package signing and verification makix Linux - Security 2 08-10-2007 02:49 PM
rpm -Va : package verification jaggy00 Linux - Software 4 05-02-2007 05:29 AM
Question about Package Installations. freddie_leaf Debian 2 09-25-2005 08:15 PM
install a package. a basic question correro Linux - General 1 03-26-2003 03:29 AM


All times are GMT -5. The time now is 06:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration