How do you GPG verify all of your rsync slackware directory
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
An example of a file with a bad signature (and the gpg output)?
Eric
Hi Eric,
Because I cannot tell which file it's stating these about, this is all I can paste.
Hopefully this helps.
Quote:
gpg: Can't check signature: public key not found
gpg: no signed data
gpg: can't hash datafile: file open error
gpg: Signature made Thu 28 Jul 2005 03:35:11 PM EDT using DSA key ID 4B96A8C5
gpg: Can't check signature: public key not found
gpg: Signature made Wed 27 Oct 2004 12:53:02 PM EDT using DSA key ID 08C975E5
gpg: Can't check signature: public key not found
gpg: Signature made Sun 02 Jan 2005 06:32:06 PM EST using DSA key ID 74C732D1
gpg: Can't check signature: public key not found
gpg: Signature made Fri 02 Sep 2005 04:59:06 PM EDT using RSA key ID 26BB437D
gpg: Can't check signature: public key not found
gpg: Signature made Sat 19 Mar 2005 04:32:19 PM EST using DSA key ID 3C0E751C
gpg: Can't check signature: public key not found
gpg: Signature made Thu 01 Sep 2005 05:15:38 AM EDT using DSA key ID 86FF9C48
gpg: Can't check signature: public key not found
gpg: Signature made Sat 04 Sep 2004 03:07:26 PM EDT using DSA key ID A511976A
gpg: Can't check signature: public key not found
gpg: Signature made Mon 17 Nov 2003 11:52:30 AM EST using DSA key ID 49843813
gpg: Can't check signature: public key not found
gpg: Signature made Mon 05 Sep 2005 04:54:45 AM EDT using DSA key ID 2BB2D54A
gpg: Can't check signature: public key not found
gpg: Signature made Sun 14 Aug 2005 09:03:31 PM EDT using DSA key ID 2BB2D54A
gpg: Can't check signature: public key not found
gpg: no signed data
gpg: can't hash datafile: file open error
gpg: Signature made Tue 11 Oct 2005 07:57:55 AM EDT using DSA key ID 2BB2D54A
gpg: Can't check signature: public key not found
gpg: Signature made Wed 13 Sep 2006 07:16:15 PM EDT using DSA key ID 1AF32821
gpg: Can't check signature: public key not found
gpg: Signature made Thu 27 Jul 2006 02:35:51 PM EDT using RSA key ID 10FDE075
gpg: Can't check signature: public key not found
gpg: Signature made Wed 19 Apr 2006 02:35:03 PM EDT using DSA key ID 1AF32821
gpg: Can't check signature: public key not found
gpg: Signature made Thu 02 Feb 2006 06:01:22 PM EST using DSA key ID 2BB2D54A
gpg: Can't check signature: public key not found
gpg: Signature made Tue 03 Jan 2006 11:22:50 AM EST using DSA key ID 2BB2D54A
gpg: Can't check signature: public key not found
gpg: Signature made Wed 13 Sep 2006 07:11:45 PM EDT using DSA key ID 1AF32821
gpg: Can't check signature: public key not found
gpg: Signature made Wed 01 Feb 2006 06:34:31 AM EST using DSA key ID 86FF9C48
gpg: Can't check signature: public key not found
gpg: Signature made Sun 22 Jan 2006 07:38:16 AM EST using DSA key ID 052E7D95
gpg: Can't check signature: public key not found
gpg: Signature made Tue 19 Jul 2005 03:11:23 PM EDT using DSA key ID 6D1ECD07
gpg: Can't check signature: public key not found
gpg: Signature made Sat 30 Jul 2005 03:22:36 PM EDT using DSA key ID 6D1ECD07
gpg: Can't check signature: public key not found
gpg: Signature made Tue 19 Jul 2005 02:58:54 PM EDT using DSA key ID 6D1ECD07
gpg: Can't check signature: public key not found
gpg: Signature made Tue 13 Sep 2005 03:32:14 PM EDT using DSA key ID 40102233
Well obviously you're checking a directory with tarballs and signature files of many individuals, none of whose GPG keys you've yet imported.
For one that occurs several times, key number 6D1ECD07:
Code:
6D1ECD07 Chase Phillips <cphillip@gmail.com>
I don't know the guy and the software he created but you have tried verifying his.
I'm just checking the files that are rsync'd using your slack current but I changed the path to be slack 10.2
Is it possible that other files are distributed by Slackware and they include original sources from the original writer's of the sources/software so they are there too?
if [ ! -d ${TOPDIR}/slackware-$VERSION ]; then
echo "Target directory ${TOPDIR}/slackware-$VERSION does not exist!"
exit 1
fi
cd ${TOPDIR}/slackware-$VERSION
rsync $1 -vaz --delete --exclude "pasture/*" ${RSYNCURL}/slackware-$VERSION/ .
In an effort to make this go quick to find which files are bad, I tried looking for a gui application to do this, that is recurses thru subdirectories and echoe's file names and their validity and I can't find anything for this.
I really think the KDE team needs to make a service menu for konqueror that allows you to alt+click on two files, file.tar.gz.asc and file.tar.gz and a service menu come up, gpg verify it for you and show results in konqueror or a dialog box.
I'm shocked there is nothing like this.
Antivir, clam-av have context menu / service menu items that scan files or directories.
A simple desktop item in /home/user/.kde/share/apps/konqueror/servicemenus would be something like this, but my 'bash scripting' is so bad I have no idea how to do this.
In the essence of time, I guess basically, is there a way for the terminal/konsole to report/print/echo the name of the file that is not able to be verified because I do not have their key while I run the gpg verify stuff?
I'd just like to further investigate it, tho I'm really disappointed at this and may never work off of a mirror again, but I dont want to kill pat's bandwith either tho. Dilema.
Could you please tell me from which directory you run, and what exact command you run?
On my Slackware 10.2 mirrored packages I get nothing but:
Code:
gpg: Signature made Mon 24 Apr 2006 09:54:21 PM CEST using DSA key ID 40102233
gpg: Good signature from "Slackware Linux Project <security@slackware.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EC56 49DA 401E 22AB FA67 36EF 6A44 63C0 4010 2233
Other GPG key signed packages should not be present there. If there are those in your Slackware mirrored tree, I'd start looking for serious abberations.
[Desktop Action compute]
Name=GPG Verify
Exec=konsole --noclose -T --GPGVerifier %D -e find . -name \*.asc -exec gpg --verify -v {} \;
#Exec=konsole --noclose -T --GPGVerifier %D -e find . -name \*.asc -print -a -fprint ~/Desktop/File-ending-in-asc.log
#the above does make a file & print out on screen for all files it finds with .asc extension
Icon=kgpg
Now save it to ~/.kde/share/apps/konqueror/servicemenus/new-gpg-menu.desktop
Your file is to be saved with .desktop extension.
Now you just go into the folder you rsync'd, right click on any file there, you need to do this so that the exec command above registers the %D (directory) command, now go to actions and select GPG Verify and it brings up konsole and will dive into subfolders, and list file names.
I recommend to go into konsole, settings, history, check off to have unlimited history and then settings 'save as default'.
Now to get a text file, you can save it from konsole.
Further notes:
-do I need the 2>&1 ? as Alien bob had?
-how do I get this to just dump a text output file too to ~/Desktop/gpg-verify.log
oh so to make it short, all of the sources for /patches...that were rsync'd are all bad and a few of the regular sources for slackware itself. none of the install files or patches.
Before I dumped my pc I decided to do some investigating of the compromised(?) files vs that shown on slackware's ftp site, Pat V's. Basically, Pat "does" have stuff from "others" on the site in /patches/sources they check out vs what I have via the rsync, so now I'm really baffled but going to play it safe.
Aha! I checked only the Slackware packages, not the sources. Of course, Pat can only gpg-sign the stuff he creates himself.
So, problem solved - nothing was compromised.
Yeah that's what I'm thinking too because the "goofy named files" as I refer to them are also listed in his files list in the top level directory of slackware10.2 on the ftp site. so they do have a corresponding checksum, and those worked too.
Maybe I need to modify the script to also ignore source? in addition to ignoring pasture.
oh in case anyone finds this thread i changed the "q" to a "v" in Alien Bob's line and therefore that show's the file names and path to files. hope that helps.
now I'm off to try and figure out how to get enigmail/pgp to work. I think i need a gpg101 class.
Cool. I could not read the thread since it required registering at the snort forum site (which I did not want), so perhaps you could paste some of the relevant bits here?.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
