LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-01-2010, 03:03 AM   #1
pr_deltoid
Member
 
Registered: Jun 2010
Distribution: Fedora
Posts: 289

Rep: Reputation: 41
Where is GNU's public key?


I can't find GNU's public key anywhere. I searched on ftp.gnu.org and I googled, and I can't find their public key.
 
Old 07-01-2010, 03:17 AM   #2
alli_yas
Member
 
Registered: Apr 2010
Location: Johannesburg
Distribution: Fedora 14, RHEL 5.5, CentOS 5.5, Ubuntu 10.04
Posts: 559

Rep: Reputation: 92
Hi

Is this what you're looking for - http://www.gnu.org/usenet/usenet-gpg-key.txt
 
Old 07-01-2010, 03:28 AM   #3
pr_deltoid
Member
 
Registered: Jun 2010
Distribution: Fedora
Posts: 289

Original Poster
Rep: Reputation: 41
I guess so... I saw that, but since it said "usenet" I thought it was some specific public key and not the general public key...
EDIT: Nope. That's not it.

Quote:
To automatically create new gnu.* newsgroups and remove defunct ones, please honor all control messages in gnu.* from usenet@gnu.org that are signed by the corresponding GPG public key (see below). The INN control.ctl entry is:

## GNU (Free Software Foundation)
# Contact: usenet@gnu.org
# URL: http://www.gnu.org/usenet/usenet.html
# Key URL: http://www.gnu.org/usenet/usenet-gpg-key.txt
# Key Fingerprint = C006 C321 A9A6 635D 0F6D AEB2 7358 FE1D F904 5B7D
checkgroups:usenet@gnu.org:gnu.*:verify-usenet@gnu.org
newgroup:usenet@gnu.org:gnu.*:verify-usenet@gnu.org
rmgroup:usenet@gnu.org:gnu.*:verify-usenet@gnu.org

A very long time ago, control messages used to be sent from gnu@prep.ai.mit.edu or from news@prep.ai.mit.edu; these addresses are now entirely obsolete.

All control messages in the gnu.* hierarchy are signed with a GPG signature using the GNU Privacy Guard (GnuPG). News servers should have a mechanism that allows them to verify those signatures; see your news server documentation.

Download the gnu.* PGP public key.

Last edited by pr_deltoid; 07-01-2010 at 03:40 AM.
 
Old 09-26-2014, 08:57 AM   #4
miriam-e
LQ Newbie
 
Registered: Nov 2011
Location: QLD, Australia
Distribution: Puppy Linux
Posts: 28

Rep: Reputation: Disabled
I've just been pratting around for about an hour trying to verify the latest version of bash and its patches from ftp.gnu.org (after hearing about the shellshock bug and wanting to protect myself). I couldn't find the gnu public key anywhere.

I eventually found a question on stackoverflow.com at
http://stackoverflow.com/questions/5...-for-gnu-emacs
which has a great answer which included where to find the Gnu public keys:
http://ftp.gnu.org/gnu/gnu-keyring.gpg
After downloading them you tell gpg of their existence by:
gpg --import gnu-keyring.gpg

After all this it still doesn't tell you if the signature is trustworthy, nor does it seem to do any check on the file itself (though I could be wrong there).

I don't know why the sha-1 or md5sum systems are not considered good enough. It doesn't seem very secure to use a security system that is not explained in a note on the site. It kinda renders it useless. When I looked for gpg documentation I found a massive manual that goes to the other extreme of burying the user in too much information. I wonder how many people will wade through all that in order to use it.
[sigh]
 
Old 02-08-2018, 04:05 PM   #5
cme0848
LQ Newbie
 
Registered: Sep 2015
Posts: 7

Rep: Reputation: Disabled
Fast forwarding to the future... not much has changed. Not sure why we set up signatures and public keys in the first place if we're going to obscure the entire process.

[sighh]


I'm sure it has something to do with my lack of knowledge but after programming for multiple decades now I'm starting to think it's the programming world that's crazy, not me.
 
Old 02-08-2018, 06:36 PM   #6
miriam-e
LQ Newbie
 
Registered: Nov 2011
Location: QLD, Australia
Distribution: Puppy Linux
Posts: 28

Rep: Reputation: Disabled
Agreed. It's strange that the verification process is now so difficult. I can't help wondering how many people (like me) have been unable to work out how to verify the most recent gpg keyring stuff. I'm no dummy. I've taught myself upwards of 20 computer languages, write books and short stories, and understand the intricacies of computer hardware at the level of transistors.

If gpg is so complex that it can't be explained in a few lines then it's effectively useless to 90% of people.

Okay, I've looked into it again.

When I tried to verify a previously downloaded gpg signature file for an older version of bash:
Code:
gpg --verify bash-4.3.tar.gz.sig
it gave the response:
Code:
gpg: Signature made Wed 26 Feb 2014 00:36:04 EST using DSA key ID 64EA74AB
gpg: Can't check signature: public key not found
so my next step needed to be to get the key 64EA74AB listed in the reply. (Why the program doesn't do this itself I don't know.)
Code:
gpg --recv-keys 64EA74AB
That gives the following:
Code:
gpg: requesting key 64EA74AB from hkp server keys.gnupg.net
gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1
So now I can try verifying the original signature again:
Code:
gpg --verify bash-4.3.tar.gz.sig
This resulted in this:
Code:
gpg: Signature made Wed 26 Feb 2014 00:36:04 EST using DSA key ID 64EA74AB
gpg: Good signature from "Chet Ramey <chet@cwru.edu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7C01 35FB 088A AF6C 66C6  50B9 BB58 69F0 64EA 74AB
which I think means the checksum for bash-4.3.tar.gz was good, but there isn't any indication whether the signature actually came from Chet Ramey or someone impersonating him. So this is not much better than the old checksum systems unless I can find a way to reliably get Chet Ramey's public key.

Okay... I looked up Chet Ramey's webpage online and he gives his gpg key right there for download. I downloaded it to the current working directory then I tried importing it:
Code:
gpg --import gpgkey.asc
resulting in nothing apparently because it already has his key I think from the --recv-keys command
Code:
gpg: key 64EA74AB: "Chet Ramey <chet@cwru.edu>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
So then I tried trusting his signature because I know it's his.
Code:
gpg --edit-key Chet
This prints up some info about his key and waits at a command prompt
Code:
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  1024D/64EA74AB  created: 2004-08-02  expires: never       usage: SC  
                     trust: unknown       validity: unknown
sub  1024g/F2C850E7  created: 2004-08-02  expires: never       usage: E   
[ unknown] (1). Chet Ramey <chet@cwru.edu>

Command>
I tell it to trust his signature as level 4 trust
Code:
Command> trust
pub  1024D/64EA74AB  created: 2004-08-02  expires: never       usage: SC  
                     trust: unknown       validity: unknown
sub  1024g/F2C850E7  created: 2004-08-02  expires: never       usage: E   
[ unknown] (1). Chet Ramey <chet@cwru.edu>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 4

pub  1024D/64EA74AB  created: 2004-08-02  expires: never       usage: SC  
                     trust: full          validity: unknown
sub  1024g/F2C850E7  created: 2004-08-02  expires: never       usage: E   
[ unknown] (1). Chet Ramey <chet@cwru.edu>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

Command> quit
but when I try to verify the bash file's signature again nothing has changed:
Code:
gpg --verify bash-4.3.tar.gz.sig 
gpg: Signature made Wed 26 Feb 2014 00:36:04 EST using DSA key ID 64EA74AB
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "Chet Ramey <chet@cwru.edu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7C01 35FB 088A AF6C 66C6  50B9 BB58 69F0 64EA 74AB
However, I tried trusting Chet's signature again and this time I chose level 5 (I had to answer "y"):
Code:
gpg --edit-key Chet
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  1024D/64EA74AB  created: 2004-08-02  expires: never       usage: SC  
                     trust: full          validity: unknown
sub  1024g/F2C850E7  created: 2004-08-02  expires: never       usage: E   
[ unknown] (1). Chet Ramey <chet@cwru.edu>

Command> trust
pub  1024D/64EA74AB  created: 2004-08-02  expires: never       usage: SC  
                     trust: full          validity: unknown
sub  1024g/F2C850E7  created: 2004-08-02  expires: never       usage: E   
[ unknown] (1). Chet Ramey <chet@cwru.edu>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  1024D/64EA74AB  created: 2004-08-02  expires: never       usage: SC  
                     trust: ultimate      validity: unknown
sub  1024g/F2C850E7  created: 2004-08-02  expires: never       usage: E   
[ unknown] (1). Chet Ramey <chet@cwru.edu>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

Command> quit
and this time when I tried verifying the file it showed something different:
Code:
gpg --verify bash-4.3.tar.gz.sig 
gpg: Signature made Wed 26 Feb 2014 00:36:04 EST using DSA key ID 64EA74AB
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Good signature from "Chet Ramey <chet@cwru.edu>"
While this is reassuring, it seems a lot of hassle for every damn program. Surely there is a better way.

Last edited by miriam-e; 02-08-2018 at 06:59 PM.
 
Old 02-08-2018, 06:49 PM   #7
miriam-e
LQ Newbie
 
Registered: Nov 2011
Location: QLD, Australia
Distribution: Puppy Linux
Posts: 28

Rep: Reputation: Disabled
I should add that in searching for this information I also found an old RedHat explanation of gpg which told me how to create my own key:
Getting Started with Gnu Privacy Guard.

It's part of a larger online book Red Hat Enterprise Linux 4 Step By Step Guide.

I doubt that having a personal key affected the stuff I described about verifying a file with its gpg signature, but there is a remote chance it might. I probably should have tried it before creating my own signature.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Public key, private key explained calande Linux - Security 3 06-12-2008 06:23 AM
Revoking GPG key with only passphrase and public key djib Linux - Security 2 03-13-2007 04:20 AM
GPG Data, Secret Key but no Public Key? Aeiri Linux - Software 5 07-20-2004 07:00 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 08:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration