[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Public key for verifying emacs sources?
From: |
Jean Louis |
Subject: |
Re: Public key for verifying emacs sources? |
Date: |
Sun, 18 Jul 2021 14:38:07 +0300 |
User-agent: |
Mutt/2.0.7+183 (3d24855) (2021-05-28) |
* Eli Zaretskii <eliz@gnu.org> [2021-07-18 10:02]:
> > Date: Sat, 17 Jul 2021 21:44:31 -0400
> > From: Steve Revilak <steve@srevilak.net>
> >
> > Where can I find a copy of the signing key, so I can verify the source
> > distribution I've downloaded?
>
> Download the latest gnu-keyring.gpg from
> https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:
>
> gpg --import gnu-keyring.gpg
>
> Then try verifying the signature again.
Me too, I have done the import and I see large number of keys. While
it is good that keys are distributed from official GNU.org server,
there is no published assurance that GNU project verified each key to
belong to the person it should belong. Thus one shall not forget
security depends on the weakest part.
In other words, verifying that package belongs to specific key is one
level of security, it does not verify that key belongs to the specific
author that package claim to belong unless both sender and receipient
verify each other's personal identity and fingerprints.
Better security than PGP for Emacs packages on GNU ELPA represents the
fact that many developers and users are looking into packages anyway.
IMHO, PGP in the GNU ELPA is kind of redundant as the true
verification of the keys and fingerprints would be rather tedious
activity.
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
In support of Richard M. Stallman
https://stallmansupport.org/