verify gcc download

John Clizbe John at Mozilla-Enigmail.org
Tue Dec 29 21:09:24 CET 2009 

David Durham wrote:
>  Hello,
> 
> I am trying to verify the download of a gcc-4.1.0.tar.bz2 file. I also
> downloaded the corresponding gcc-4.1.0.tar.bz2.sig file. I have tried
> gpg --verify gcc-4.1.0.tar.bz2.sig gcc-4.1.0.tar.bz2, but it says "can't
> check signature, public key not found." Does this mean the file has been
> verified, but just not the signature? The file at
> ftp.gnu.org/MISSING-FILES.README says that all releases after 8-1-2003
> will be signed by the gpg maintainer who prepared the release. Does this
> mean I need to get the public keys of each maintainer for each software
> release I download? If so, could you please tell me how and where to get
> the appropriate public keys?

Yep, you need the public key(s). From looking at the sig file it was signed by
Mark Mitchell <mark at codesourcery.com> 0xB75C61B8

You may fetch the key beforehand (if you know the ID):

$ gpg --keyserver yogi --recv-key 0xB75C61B8

or add the appropriate options to the gpg command line:

$ gpg --keyserver yogi --keyserver-options auto-key-retrieve \
    --verify gcc-4.1.0.tar.bz2.sig gcc-4.1.0.tar.bz2
gpg: Signature made 02/28/06 12:57:12 using DSA key ID B75C61B8
gpg: requesting key B75C61B8 from hkp server yogi
gpg: key B75C61B8: public key "Mark Mitchell <mark at codesourcery.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: please do a --check-trustdb
gpg: Good signature from "Mark Mitchell <mark at codesourcery.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B3C4 2148 A44E 6983 B3E4  CC07 93FA 9B1A B75C 61B8

You'd need to change the keyserver to something publicly accessible such as
pool.sks-keyservers.net.

I would have thought there'd be an easily found keyring for gcc distros.


-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 679 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091229/eb87de94/attachment.pgp>

More information about the Gnupg-users mailing list