Reputation: 718
where can I find the public key for Gnu Emacs?
I have used emacs for only half a year from 23.1 to 23.3.
Every time I tried to find gpg public key for emacs so that I could check tar.gz package with tar.gz.sig released with every new version, I failed.
It seems I should fetch public key first, and I searched the website of emacs, but never found a sign...
I can only find SHA1 checksum in the mailing list http://lists.gnu.org/archive/html/info-gnu-emacs/2011-03/msg00000.html to do the integrity check
How do I do this?
Upvotes: 44
Views: 19956
Answers (5)
Reputation: 3209
Emacs need update package gnu-elpa-keyring-update. But... without updated gnu-elpa-keyring-update package you can't do it.
For this reason, it is necessary to do the following:
- Disable checking signature of packages and package archive with settings
package-check-signaturetonil. - Install package
gnu-elpa-keyring-update. - Restore
package-check-signaturevariable value.
Code from my init.el (add after setting package archives, but before installing any package with use-package or another tools):
(add-to-list 'package-pinned-packages '("gnu-elpa-keyring-update" . "gnu"))
(unless (package-installed-p 'gnu-elpa-keyring-update)
;; Save default value of `package-check-signature' variable
(defvar package-check-signature-default package-check-signature)
;; Disable signature checking
(setq package-check-signature nil)
;; Download package archives (without signature checking)
(package-refresh-contents)
;; Install package `gnu-elpa-keyring-update' (without signature checking)
(package-install 'gnu-elpa-keyring-update t)
;; Restore `package-check-signature' value to default.
(setq package-check-signature package-check-signature-default))
Upvotes: 1
Reputation: 73365
There is a README file at the root level of the GNU FTP server which explains how to use the signatures.
See https://ftp.gnu.org/README for the up-to-date version.
The current file says:
There are also .sig files, which contain detached GPG signatures of the above
files, automatically signed by the same script that generates them.
You can verify the signatures for gnu project files with the keyring file from:
https://ftp.gnu.org/gnu/gnu-keyring.gpg
In a directory with the keyring file, the source file to verify and the
signature file, the command to use is:
$ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig
Upvotes: 18
Reputation: 4606
The GNU keyring is at https://ftp.gnu.org/gnu/gnu-keyring.gpg
You can import them locally (after downloading) with
gpg --import gnu-keyring.gpg
Upvotes: 34
Reputation: 14634
The answer from @vhallac is now out of date (I'm trying to verify an emacs-24.4 download). If you don't want to download and import the entire GNU keyring (as @JSON discussed), here's a way to get this done. In this answer I'll show what works today but also how to figure out what will work a year from now.
First download emacs and its .sig file. I have:
$ ls | grep emacs
emacs-24.4.tar.xz
emacs-24.4.tar.xz.sig
Assuming you already have gpg installed, try to verify it:
$ gpg --verify emacs-24.4.tar.xz.sig
gpg: Signature made Mon 20 Oct 2014 02:58:21 PM EDT using RSA key ID A0B0F199
gpg: Can't check signature: public key not found
In this attempt, it fails (you'll see a successful attempt at the end of this post). I don't have the public key. The output tells you which public key you need to obtain: A0B0F199. (This is the thing that will most likely change in the future.)
So I then try to download it with the default command:
$ gpg --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
(...hangs here...)
It just hangs. That's because I have ufw (my Linux firewall software) blocking most ports. You can tell gpg to use port 80, like so:
$ gpg --keyserver hkp://keys.gnupg.net:80 --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
gpgkeys: key A0B0F199 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
That got through the firewall, but fails because, for some reason, the Emacs/FSF keys are no longer being stored on the gnupg server. So I tried the other keyserver I know about and have some level of trust of:
$ gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server pool.sks-keyservers.net
gpg: key A0B0F199: public key "Glenn Morris <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK, it worked. Now check it:
$ gpg --list-keys
...
pub 2048R/A0B0F199 2012-12-23 [expires: 2015-12-23]
uid Glenn Morris <[email protected]>
sub 2048R/951C59EC 2012-12-23 [expires: 2015-12-23]
Yep, got it.
Now I can verify the downloaded emacs tarball:
$ gpg --verify emacs-24.4.tar.xz.sig
gpg: Signature made Mon 20 Oct 2014 02:58:21 PM EDT using RSA key ID A0B0F199
gpg: Good signature from "Glenn Morris <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B294 26DE FB07 724C 3C35 E5D3 6592 E9A3 A0B0 F199
The signature is "good", but not trusted. See the other answers for how to trust that key.
Upvotes: 15
Reputation: 13957
If you try to verify the signature using
gpg --verify <pkg>.key
you'll get an output like the following:
gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Can't check signature: No public key
The key ID you are looking for is BE216115, so you ask gpg to retrieve it using:
gpg --recv-keys BE216115
Which resulted in the following on my installation:
gpg: requesting key BE216115 from hkp server keys.gnupg.net
gpg: key BE216115: public key "Francesco Potortì <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 6 trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: depth: 2 valid: 6 signed: 1 trust: 0-, 0q, 0n, 6m, 0f, 0u
gpg: Total number processed: 1
gpg: imported: 1
Now, you can verify it. But since you haven't assigned any trust to this key, the output will be:
gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Good signature from "Francesco Potortì <[email protected]>"
gpg: aka "Francesco Potortì <[email protected]>"
gpg: aka "Francesco Potortì <[email protected]>"
gpg: aka "Francesco Potortì <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4B02 6187 5C03 D6B1 2E31 7666 09DF 2DC9 BE21 6115
So, you will know that the signature is valid, but you are not trusting the public key. You can trust or sign the public key using:
gpg --edit-key BE216115
In the command prompt type help to see all the available options. For further information, see Using the GNU Privacy Guard
Upvotes: 40
Related Questions
- How can I display actual public/private key of key pair I just generated with gpg?
- (gnupg) Which is the public and which is the private key in this pair?
- How to get public key from an OpenPGP smart card without using key servers?
- What is the public URL for the GitHub GPG keys
- What is GitHub's public GPG key?
- Official Python GPG Signing Key - Where is it? - gpg: using RSA key FC624643487034E5
- Where can I find the public key for commits done from GitHub.com?
- How to fetch OpenPGP key for Mesos installation?
- Getting the email address of a gnupg public key from an encrypted file
- gnupg decryption using public key provided by the vendor