Difference between revisions of "GPG Signatures"
(Fixing instructions to use our locally exported public key.) |
|||
| Line 1: | Line 1: | ||
{{Subpages|Metro Plaintext Keys}} | {{Subpages|Metro Plaintext Keys}} | ||
The Funtoo Linux master GPG signing key is the {{c|drobbins@funtoo.org}} key (the "BDFL key"), which has the following signature: | |||
{{TableStart}} | {{TableStart}} | ||
| Line 18: | Line 18: | ||
gpg> ##i##quit | gpg> ##i##quit | ||
}} | }} | ||
Each build server key has been signed by the BDFL key, so by trusting the BDFL key ''ultimately'', you will automatically ''fully'' trust the build server | Each build server key has been signed by the BDFL key, so by trusting the BDFL key ''ultimately'', you will automatically ''fully'' trust the build server key. | ||
Next, head to [[GPG Signatures/Metro Plaintext Keys]] and copy and paste the public key and associated signatures for the metro build server into a file called {{c|node.txt}}. Then, import this key into GPG: | |||
{{console|body= | {{console|body= | ||
$ ##i##gpg -- | $ ##i##gpg --import node.txt | ||
}} | }} | ||
| Line 39: | Line 39: | ||
gpg: depth: 0 valid: 1 signed: 4 trust: 0-, 0q, 0n, 0m, 0f, 1u | gpg: depth: 0 valid: 1 signed: 4 trust: 0-, 0q, 0n, 0m, 0f, 1u | ||
gpg: depth: 1 valid: 4 signed: 0 trust: 3-, 1q, 0n, 0m, 0f, 0u | gpg: depth: 1 valid: 4 signed: 0 trust: 3-, 1q, 0n, 0m, 0f, 0u | ||
gpg: Good signature from "Daniel Robbins (metro: | gpg: Good signature from "Daniel Robbins (metro:node) <drobbins@funtoo.org>" [full] | ||
}} | }} | ||
Revision as of 18:46, December 3, 2021
The Funtoo Linux master GPG signing key is the drobbins@funtoo.org key (the "BDFL key"), which has the following signature:
| GPG key name/email | GPG comment | Fingerprint |
|---|---|---|
Daniel Robbins drobbins@funtoo.org | BDFL | D3B9 48F8 2EE8 B402 0A04 1078 9A65 8306 E986 E8EE |
To verify the integrity of stage3 tarballs using GPG, first download your preferred stage3 taball, and the matching file with the additional .gpg extension in the same directory. Next, we will receive the public master key from a public keyserver (specifying the last 8 digits of the BDFL fingerprint,) and assign ultimate trust to it:
user $ gpg --keyserver pgp.mit.edu --recv-key E986E8EE user $ gpg --edit-key E986E8EE gpg> trust Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y gpg> quit
Each build server key has been signed by the BDFL key, so by trusting the BDFL key ultimately, you will automatically fully trust the build server key.
Next, head to GPG Signatures/Metro Plaintext Keys and copy and paste the public key and associated signatures for the metro build server into a file called node.txt. Then, import this key into GPG:
user $ gpg --import node.txt
Then, you can use the gpg --verify command to verify the stage3's GPG signature:
user $ gpg --verify stage3-latest.tar.xz.gpg stage3-latest.tar.xz
You should see output similar to this, which will specify the last 8 digits of the signing GPG fingerprint:
gpg: Signature made Sun 25 Dec 2016 03:57:27 PM MST using RSA key ID 613539CB gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 4 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 4 signed: 0 trust: 3-, 1q, 0n, 0m, 0f, 0u gpg: Good signature from "Daniel Robbins (metro:node) <drobbins@funtoo.org>" [full]
For more details on the benefits of GPG, read https://gnupg.org/gph/en/manual.html