bug#22276: .sig

[Ludovic Courtès]

Alex Kost <address@hidden> skribis:

> Ludovic Courtès (2016-01-01 21:04 +0300) wrote:
>
>> I’ve amended that section of the manual based on text from the
>> announcement (see
>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>).
>> Step 1 becomes:
>>
>>
>>   1. Download the binary tarball from
>>      ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’,
>>      where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already
>>      running the kernel Linux, and so on.
>>
>>      Make sure to download the associated ‘.sig’ file and to verify the
>>      authenticity of the tarball against it, along these lines:
>>
>>           $ wget 
>> ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>           $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig
>>
>>      If that command fails because you don’t have the required public
>>      key, then run this command to import it:
>>
>>           $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
>
> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?

I would expect that the command together with the previous sentence
suggest that 3D9AEBB5 identifies the key used to sign the package, no?

> Hm, apparently it is some key, but what key? where did it come from? is
> it from gnu.org or what? maybe it is for "keys.gnupg.net" server?  OK, I
> should read gpg manual to find it out… but I won't».  And then I will
> not check the signature because I trust the tarball from "gnu.org" but I
> don't trust a thing that I don't understand.  (I talk only for myself,
> I think other people are more conscious users)
>
> I think it will be also good to explain what "3D9AEBB5" means.

I would prefer to refer to a more complete document such as the GNU
Privacy Handbook, but I don’t know what its current status is:

  https://www.gnupg.org/gph/en/manual.html#AEN136

Ludo’.