[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Public key for verifying emacs sources?
From: |
Eli Zaretskii |
Subject: |
Re: Public key for verifying emacs sources? |
Date: |
Sun, 18 Jul 2021 15:05:03 +0300 |
> Date: Sun, 18 Jul 2021 14:38:07 +0300
> From: Jean Louis <bugs@gnu.support>
> Cc: help-gnu-emacs@gnu.org
>
> * Eli Zaretskii <eliz@gnu.org> [2021-07-18 10:02]:
> > > Date: Sat, 17 Jul 2021 21:44:31 -0400
> > > From: Steve Revilak <steve@srevilak.net>
> > >
> > > Where can I find a copy of the signing key, so I can verify the source
> > > distribution I've downloaded?
> >
> > Download the latest gnu-keyring.gpg from
> > https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:
> >
> > gpg --import gnu-keyring.gpg
> >
> > Then try verifying the signature again.
>
> Me too, I have done the import and I see large number of keys. While
> it is good that keys are distributed from official GNU.org server,
> there is no published assurance that GNU project verified each key to
> belong to the person it should belong. Thus one shall not forget
> security depends on the weakest part.
Please take this up with the GNU FTP site maintainers. I didn't
upload my key to any place, I sent them my key and asked for upload
rights. I don't know what they did with the key.
This issue doesn't belong on this forum anyway.