[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: verifying autoconf-2.69c.tar.xz.sig
From: |
Zack Weinberg |
Subject: |
Re: verifying autoconf-2.69c.tar.xz.sig |
Date: |
Sun, 4 Oct 2020 12:25:19 -0400 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, Oct 2, 2020 at 9:04 PM Thien-Thi Nguyen <ttn@gnuvola.org> wrote:
> I am having problems verifying the 2.69c release of GNU Autoconf:
>
> | $ gpg -k Zack
> | Portachiavi: /home/ttn/.gnupg/pubring.kbx
> | -----------------------------------------
> | pub ed25519 2018-07-23 [SC]
> | BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5
> | uid [ unknown] Zack Weinberg (code signing / moxana)
> <zackw@panix.com>
> |
> | $ gpg --verify autoconf-2.69c.tar.xz.sig autoconf-2.69c.tar.xz
> | gpg: Signature made gio 24 set 2020 13:22:49 EDT
> | gpg: using RSA key 82F854F3CE73174B8B63174091FCC32B6769AA64
> | gpg: Impossibile controllare la firma: No public key
>
> The exit value of the second command is 2 (non-zero).
This is partially my fault for being slightly too clever with my PGP
keys, and partially fallout from the keyserver spamming debacle last year
( https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f ).
Both of the keys whose fingerprints are mentioned above are mine.
$ gpg --list-secret-keys
/home/zack/.gnupg/pubring.gpg
- -----------------------------
sec rsa4096 2010-01-14 [SC]
82F854F3CE73174B8B63174091FCC32B6769AA64
uid [ultimate] Zack Weinberg <zackw@panix.com>
ssb rsa4096 2010-01-14 [E]
sec ed25519 2018-07-23 [SC]
BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5
uid [ full ] Zack Weinberg (code signing / moxana) <zackw@panix.com>
Key 82F854F3CE73174B8B63174091FCC32B6769AA64 is the one I use for
signing email, and the one that I've gotten signed by people in the
web of trust. It is _supposed_ to be the one you get from the PGP
keyservers if you ask them for the key associated with zackw@panix.com.
Since it's in the web of trust, it's the key I used to sign the 2.69c
release.
Key BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5 is exclusively used for
signing Git commit records. (For instance, you'll see it show up if
you do `git verify-tag v2.69c` in a current Autoconf source tree.)
It's not a subkey because there's two more of those, one for each
computer on which I regularly do development work. They're not in
the web of trust except for being signed by
82F854F3CE73174B8B63174091FCC32B6769AA64.
I uploaded those keys to the keyservers as well, so that people could
easily validate the signatures on my commit records, but I thought I
had arranged things so that they wouldn't take precedence over ...AA64
in searches by email address. It seems I was wrong:
$ gpg --auto-key-locate keyserver --locate-keys zackw@panix.com
pub ed25519 2018-07-23 [SC]
BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5
uid [ full ] Zack Weinberg (code signing / moxana) <zackw@panix.com>
I presume this is how Thien-Thi got the wrong key.
I'll see what I can do to get the keyservers to report the correct key
for zackw@panix.com, but I can't promise I'll get anywhere. However,
if you use this procedure to validate the autoconf release tarball it
should succeed:
$ gpg --verify autoconf-2.69c.tar.xz.sig autoconf-2.69c.tar.xz
gpg: Signature made Thu Sep 24 13:22:49 2020 EDT
gpg: using RSA key 82F854F3CE73174B8B63174091FCC32B6769AA64
gpg: Can't check signature: No public key
$ gpg --recv-keys 82F854F3CE73174B8B63174091FCC32B6769AA64
gpg: key 91FCC32B6769AA64: 19 signatures not checked due to missing keys
gpg: key 91FCC32B6769AA64: public key "Zack Weinberg <zackw@panix.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
$ gpg --verify autoconf-2.69c.tar.xz.sig autoconf-2.69c.tar.xz
gpg: Signature made Thu Sep 24 13:22:49 2020 EDT
gpg: using RSA key 82F854F3CE73174B8B63174091FCC32B6769AA64
gpg: Good signature from "Zack Weinberg <zackw@panix.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 82F8 54F3 CE73 174B 8B63 1740 91FC C32B 6769 AA64
$ gpg --list-signatures 82F854F3CE73174B8B63174091FCC32B6769AA64
pub rsa4096 2010-01-14 [SC]
82F854F3CE73174B8B63174091FCC32B6769AA64
uid [ unknown] Zack Weinberg <zackw@panix.com>
sig 3 91FCC32B6769AA64 2010-01-14 Zack Weinberg <zackw@panix.com>
sig 51C63320797DC75F 2010-01-14 [User ID not found]
sig CB32A10788C3A5A5 2010-07-08 [User ID not found]
sig 217EB4E522FEB115 2010-07-08 [User ID not found]
sig 89300BD258E24182 2010-07-11 [User ID not found]
sig 025AB0106B17EA1E 2012-02-14 [User ID not found]
sig C218525819F78451 2012-05-31 [User ID not found]
sig 9FEE347FAC800B19 2010-07-09 [User ID not found]
sig 6D10531CE3C79D19 2010-07-12 [User ID not found]
sig 1B077D375BA4BDF1 2010-07-13 [User ID not found]
sig AB98288E36D33D07 2010-08-11 [User ID not found]
sig 180F6A5B3EDE742E 2010-07-08 [User ID not found]
sig 3 29AA2852333E7C23 2012-06-01 [User ID not found]
sig 2 DE7AAF6E94C09C7F 2012-07-22 [User ID not found]
sig 4814DEC22B307C3C 2012-07-05 [User ID not found]
sig 5DAFEFEA7D3BCF23 2012-10-04 [User ID not found]
sig F91E0FEC77026956 2012-07-07 [User ID not found]
sig 0DDC5745378C39EB 2013-10-14 [User ID not found]
sig 2 381BEC5EA8D6F5EC 2013-09-23 [User ID not found]
sig 242C3E04F018A7C2 2013-10-21 [User ID not found]
sub rsa4096 2010-01-14 [E]
sig 91FCC32B6769AA64 2010-01-14 Zack Weinberg <zackw@panix.com>
And you can then proceed to check the identities associated with those
signatures in the usual way.
As a further cross-check, the full fingerprint for key ..AA64 can be
found on my website at https://www.owlfolio.org/contact/, as well as a
link to where the key can be downloaded directly.
This message is signed with *both* of the keys discussed above.
zw
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEgvhU885zF0uLYxdAkfzDK2dpqmQFAl959poACgkQkfzDK2dp
qmSe0Q//S6xfJ+EgoskWduCsunQckcBPw2abDsyq3qiCN7mPcSuC/yfqYoNtmlYE
Js0T2LmIDQdpQBYzONk6rURf03PHqG2ZVTWEU16T2IRfY8HuSvhfXHqZkY1cZjQQ
KPH9PgxXL2kI0jzWWm5nBUo88fxSseAhCZ3gn0kRVl7cQeFVWAQ0T9gNx5kih9LY
ZQEnU7N32LpqNjvNhgFfSVYbSoTQjl2Yohb38/b3FLVok5KraNkBVZSsJ6/4+hwn
AeXp2Y5tOlwapdDxNMyLJEibVaCMESgFZrm60UmTMoO1rRzHzy7W/qtP8oCcqBoB
K8Jqan1RsGlSgHXd+Jko/tihbUuLB+wIzM0yw46WtfjIYCWDxRzCl92Nctfc/qfa
21lsZu0a9TRlgHjP0GuE9HwTmtG0CufyGRDPgGCM9xaD1A0VtnOuybA0APOTTdb8
IiCR4RYllWt9T1A17r45bgVShGTEWPeAjAIiObvSTSr+YRMsIomW4ZJo/lnG0HzN
hDnGd/qh5BFGNXl4XE/zcu1S5AqSPQBcqKupk0T4Vve/pnTRq0NbZQgLzSsw/isw
Uv6IW4f+yelz9jNqmvX756rncyPxSg9OWGOYEeeEsnBR9WmWPJejWBe7dx15+RMe
GpABq5WvzR35FErZjHwz6qfjG6EJgtVqAZ3tjeeDd9xdjeNXDjqIdQQBFggAHRYh
BL8Va4Pk1a0GrzoMLDhPjmisZbDVBQJfefaaAAoJEDhPjmisZbDVcEYBAIoV/WcA
ZObGDPjSfJe1c6lrjaPOpOkFAUp51x6gOC1DAQCyoL//WJcLT95iGQ+MHVJoRYGl
IlhW3qKqFphWy5YfCA==
=zvg1
-----END PGP SIGNATURE-----