what is public key and how to use it ?

Kilam orez · 01-11-2010, 04:32 AM

hi everybody,

i want to install gfortran compiler,for that i downloaded two files.

1) gcc-fortran-4.3.3.tar.gz
2) gcc-fortran-4.3.3.tar.gz.sig

i used the gpg command as >

/Desktop> gpg --verify gcc-fortran-4.3.3.tar.gz.sig gcc-fortran-4.3.3.tar.gz
gpg: Signature made Sat 24 Jan 2009 07:03:07 PM IST using RSA key ID FC26A641
gpg: Can't check signature: No public key

1)i don't know what is public key?

2)why do we need it?

3)how can i get this public key and then install gfortran?

with due regards,
Kilam

acid_kewpie · 01-11-2010, 04:41 AM

Purely in the context of GPG, and not other uses of public key cryptography:

1) it's a metaphorical "key" that you'd obtain from the publisher which identifies their signature.

2) to verify that the file you have is as the author released it. if someone modifed the main file, then the signature check would fail.

3) here I think. http://mirror.anl.gov/pub/gnu/gnu-keyring.gpg but maybe I'm trying to trick you and give you a fake key... who do you trust??

In general though i'd wonder why you're trying to install from source code this in the first place from the questions you're asking. Is there not a prebuilt RPM / DEB / PKG / Something else that you could drop in much easier?

Skaperen · 01-11-2010, 08:59 AM

As long as the source code has not been modified by anyone, you should be able to (build and) install the package, anyway.

The key verification is to check that no one modified the package since the author signed it. This signing happens by taking a cryptographically string hash of the original file package, and encrypting that hash using the author's private key. The public key can decrypt it only if the private key encrypted it (it's a "key pair" system).

Someone might try to trick you by modifying the package. Verification would fail because the hash you make during verification won't be the same (because this is a hash of modified data) as the one created by the original author. If the trickster re-signed the package, then the hash would match, but he would be identified differently via a different public key. If you have the public key of the real author, that one won't work if the trickster re-signed the package. As long as the trickster cannot trick you into using his public key as the author's public key (this is where the trust matter comes into play ... you have to trust that you have the real author's real public key), you can determine if the software you have is genuine or not.

This does not exclude people making improvements to packages. If I wanted to improve a package someone else wrote and signed, I would include their original package unchanged, plus my patches and other changes, package that all together, and sign it myself. You would then verify that I provided the outer package, and also verify that the inner package I included is an exact unchanged copy of what the original author write. If you have my public key then you can know I'm the one who wrote the patches and repackaged it.

Kilam orez · 01-13-2010, 12:44 AM

Quote:

Originally Posted by acid_kewpie

Purely in the context of GPG, and not other uses of public key cryptography:

1) it's a metaphorical "key" that you'd obtain from the publisher which identifies their signature.

2) to verify that the file you have is as the author released it. if someone modifed the main file, then the signature check would fail.

3) here I think. http://mirror.anl.gov/pub/gnu/gnu-keyring.gpg but maybe I'm trying to trick you and give you a fake key... who do you trust??

In general though i'd wonder why you're trying to install from source code this in the first place from the questions you're asking. Is there not a prebuilt RPM / DEB / PKG / Something else that you could drop in much easier?

hi acid_kewpie,

actually i have installed SLED-11(suse linux enterprise-11)operating system.

and it doesn't contain gfortran compiler and i need it.
for that i downloaded gfortran psckage form following: ftp://ftp.gnu.org/gnu/gcc/

but that contains a .sig file also. and i don't know what to do with that?

so to get away from .sig file, i downloaded a rpm package from http://rpm.pbone.net/index.php3/stat...c12.x86_64.rpm

but it gives errors

~/Desktop> rpm -ivh gcc-gfortran-4.4.2-14.fc12.x86_64.rpm
warning: gcc-gfortran-4.4.2-14.fc12.x86_64.rpm: Header V3 RSA/SHA256 signature: NOKEY, key ID 57bbccba
error: Failed dependencies:
gcc = 4.4.2-14.fc12 is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
libc.so.6(GLIBC_2.11)(64bit) is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
libgfortran = 4.4.2-14.fc12 is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
libgfortran.so.3()(64bit) is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
rpmlib(FileDigests) <= 4.6.0-1 is needed by gcc-gfortran-4.4.2-14.fc12.x86_64
rpmlib(PayloadIsXz) <= 5.2-1 is needed by gcc-gfortran-4.4.2-14.fc12.x86_64.

can anyone help me how can i install gfortran?

My operating system is SLED 11, should i use gfortran provided by suse site or can i use gfortran provided by other sites like from fedora sites?

thank you very much

kilam orez