Ludovic Courtès (2016-01-03 14:10 +0300) wrote: > Alex Kost <[email protected]> skribis: > >> Ludovic Courtès (2016-01-01 21:04 +0300) wrote: >> >>> I’ve amended that section of the manual based on text from the >>> announcement (see >>> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>). >>> Step 1 becomes: >>> >>> >>> 1. Download the binary tarball from >>> ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’, >>> where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already >>> running the kernel Linux, and so on. >>> >>> Make sure to download the associated ‘.sig’ file and to verify the >>> authenticity of the tarball against it, along these lines: >>> >>> $ wget >>> ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig >>> $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig >>> >>> If that command fails because you don’t have the required public >>> key, then run this command to import it: >>> >>> $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5 >> >> Being a lazy user, my first question is: «What is this "3D9AEBB5" thing? > > I would expect that the command together with the previous sentence > suggest that 3D9AEBB5 identifies the key used to sign the package, no?
Hm, not for me. But obviously my problem comes from the fact that I know nothing about encryption, security, signatures, etc. And as a total noob I trust binaries from "gnu.org" more than the scaring "3D9AEBB5" thing just because I don't understand it. >> Hm, apparently it is some key, but what key? where did it come from? is >> it from gnu.org or what? maybe it is for "keys.gnupg.net" server? OK, I >> should read gpg manual to find it out… but I won't». And then I will >> not check the signature because I trust the tarball from "gnu.org" but I >> don't trust a thing that I don't understand. (I talk only for myself, >> I think other people are more conscious users) >> >> I think it will be also good to explain what "3D9AEBB5" means. > > I would prefer to refer to a more complete document such as the GNU > Privacy Handbook, but I don’t know what its current status is: > > https://www.gnupg.org/gph/en/manual.html#AEN136 Thanks for the pointer! I hope it will clarify some things for me :-) -- Alex
