[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-bash] How to use files like bash-5.0.tar.gz.sig?
|
From: |
Eric Blake |
|
Subject: |
Re: [Help-bash] How to use files like bash-5.0.tar.gz.sig? |
|
Date: |
Mon, 21 Jan 2019 11:58:59 -0600 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 |
On 1/21/19 11:51 AM, Peng Yu wrote:
> Hi,
>
>> Download both bash-5.0.tar.gz and the .sig file into the same directory,
>> then run:
>>
>> $ gpg --verify bash-5.0.tar.gz.sig
>>
>> to learn if gpg can validate that your copy of bash-5.0.tar.gz is
>> byte-wise accurate to the one that Chet signed as being authentic.
>
> I got this. How to fix the problem?
>
> $ gpg --verify bash-5.0.tar.gz.sig
> gpg: assuming signed data in 'bash-5.0.tar.gz'
> gpg: Signature made Mon Jan 7 07:58:19 2019 CST
> gpg: using DSA key 7C0135FB088AAF6C66C650B9BB5869F064EA74AB
> gpg: Can't check signature: No public key
You haven't downloaded Chet's key, then. This will download it
(assuming your gpg installation is set up to point to typical public
keyservers already):
$ gpg --recv-keys 0xBB5869F064EA74AB
Then, depending on your level of paranoia, and how many GPG key-signing
parties you have participated in, you will either have to just assume
that you did indeed get Chet's public key, or you will be able to rely
on the GPG web-of-trust to trace between keys you have signed back
through people who have in turn signed Chet's key. But proper GPG
signing is a topic all its own, and further questions about it will
probably be answered more definitively on lists dedicated to GPG than on
this list.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature