[bug#29540] [PATCH] gnu: spice: Update to 0.14.0.

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#29540] [PATCH] gnu: spice: Update to 0.14.0.

From:	Andy Patterson
Subject:	[bug#29540] [PATCH] gnu: spice: Update to 0.14.0.
Date:	Sun, 3 Dec 2017 00:41:02 -0500

Hi Leo,

On Sat, 2 Dec 2017 19:41:23 -0500
Leo Famulari <address@hidden> wrote:

> On Sat, Dec 02, 2017 at 05:23:27PM -0500, Andy Patterson wrote:
> > I downloaded the sources over https, but I didn't verify them
> > against the signature provided, since I couldn't figure out where
> > to download the keys from. Tips on how to find keys in general
> > would be appreciated.  
> 
> "How to use GnuPG" is probably best left to the experts:
> 
> https://gnupg.org/documentation/guides.html
> 
> But here's how I would acquire this key and verify the signature. Note
> that the crucial identifier, the key fingerprint, is provided in the
> error message of the first command.
> 
> ------
> $ gpg --verify spice-0.14.0.tar.bz2.sign                   
> gpg: assuming signed data in 'spice-0.14.0.tar.bz2'
> gpg: Signature made Wed 11 Oct 2017 07:33:58 AM EDT
> gpg:                using RSA key
> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Can't check signature:
> No public key
> 
> $ gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys
> 94A9F75661F77A6168649B23A9D8C21429AC6C82
> 
> $ gpg --verify
> spice-0.14.0.tar.bz2.sign gpg: assuming signed data in
> 'spice-0.14.0.tar.bz2' gpg: Signature made Wed 11 Oct 2017 07:33:58
> AM EDT gpg:                using RSA key
> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Good signature from
> "Christophe Fergeau (teuf) <address@hidden>" [unknown]
> gpg:                 aka "Christophe Fergeau
> <address@hidden>" [unknown] gpg:                 aka "Christophe
> Fergeau <address@hidden>" [unknown] gpg:                 aka
> "Christophe Fergeau <address@hidden>" [unknown] gpg: WARNING:
> This key is not certified with a trusted signature! gpg:
> There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 94A9 F756 61F7 7A61 6864  9B23 A9D8 C214
> 29AC 6C82 ------
> 

Ooh, thanks.

> We can be reasonably sure that someone with that private key signed
> the tarball. Now, is it the right key? Hopefully the upstream
> documentation says which keys are considered "authorized" to sign
> Spice releases.

I didn't find anything. *shrugs*

--
Andy

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#29540] [PATCH] gnu: spice: Update to 0.14.0., Andy Patterson, 2017/12/02
- [bug#29540] [PATCH] gnu: spice: Update to 0.14.0., Leo Famulari, 2017/12/02
  - [bug#29540] [PATCH] gnu: spice: Update to 0.14.0., Andy Patterson <=
    - [bug#29540] [PATCH] gnu: spice: Update to 0.14.0., Ricardo Wurmus, 2017/12/03
    - [bug#29540] [PATCH] gnu: spice: Update to 0.14.0., Leo Famulari, 2017/12/04
- bug#29540: [PATCH] gnu: spice: Update to 0.14.0., Leo Famulari, 2017/12/04

Prev by Date: [bug#29544] FVWM: Update to 2.6.7
Next by Date: [bug#29536] [PATCH] gnu: Add cava.
Previous by thread: [bug#29540] [PATCH] gnu: spice: Update to 0.14.0.
Next by thread: [bug#29540] [PATCH] gnu: spice: Update to 0.14.0.
Index(es):
- Date
- Thread