[SOLVED] PGP signatures of tools and scripts of liveslak

ag33k · 03-24-2018, 01:08 AM

If I download the package of the tools and scripts of liveslak, how do I check the PGP signature of alienbob?

Code:

$ wget http://git.slackware.nl/liveslak/snapshot/liveslak-1.1.9.7.tar.gz

What I am doing right now is cloning the repo and check the signature of the tag

Code:

$ git clone git://bear.alienbase.nl/liveslak.git
$ cd liveslak/
$ git verify-tag 1.1.9.7

gpg: Signature made Wed 14 Mar 2018 21:56:27 WET
gpg:                using RSA key 883EC63B769EE011
gpg: Good signature from "Eric Hameleers (Alien BOB) <alien@slackware.com>" [full]
gpg:                 aka "Eric Hameleers <eric.hameleers@gmail.com>" [unknown]
gpg:                 aka "Eric Hameleers (SBo) <alien@slackbuilds.org>" [unknown]
gpg:                 aka "Eric Hameleers (Thuis) <e.hameleers@chello.nl>" [unknown]
gpg:                 aka "Eric Hameleers (Alien Base) <eric.hameleers@alienbase.nl>" [unknown]
gpg:                 aka "[jpeg image of size 4594]" [unknown]
Primary key fingerprint: 2AD1 07EA F451 32C8 A991  F4F9 883E C63B 769E E011

There is way to check the signature of the tar.gz or the tar.xz available to download?

mralk3 · 03-24-2018, 05:10 AM

You need the accompanying .asc file. Then run:

gpg --verify file.asc

The file is usually in the same directory as the tarball for most projects.

But since this is a git tag you are downloading it's better to just use git to verify.

ponce · 03-24-2018, 06:05 AM

The tarballs you are referring to are snapshots generated on the fly by the git frontend, they don't have a pgp signature.

ag33k · 03-24-2018, 02:29 PM

Quote:

Originally Posted by mralk3

You need the accompanying .asc file. Then run:

gpg --verify file.asc

The file is usually in the same directory as the tarball for most projects.

But since this is a git tag you are downloading it's better to just use git to verify.

I understand that I need the .asc file to verify but I can't find it.

Quote:

Originally Posted by ponce

The tarballs you are referring to are snapshots generated on the fly by the git frontend, they don't have a pgp signature.

So the tarballs are generated by an automated process.

But what it's the right procedure to verify the PGP of this files?
Like I did or there is any site with the tarballs and the asc files also?

Alien Bob · 03-24-2018, 03:10 PM

If you clone the git repository you'll be able to trust the code if you checkout a signed tag (and if you trust my signature of course).
There are no signed tarballs for download.

ag33k · 03-24-2018, 03:43 PM

Quote:

Originally Posted by Alien Bob

If you clone the git repository you'll be able to trust the code if you checkout a signed tag (and if you trust my signature of course).
There are no signed tarballs for download.

It's good enough for me.