Fwd: which program use: gpg or gpgv?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jul 6 02:56:56 CEST 2017 

On Tue 2017-07-04 16:40:17 -0400, fuflono--- via Gnupg-users wrote:
> Hi,
> my Debian8.8 has the programs about gpg: 
>
> -rwxr-xr-x  1 root   root    1128700 Sep  3  2016 gpg
> -rwxr-xr-x  1 root   root     913236 Sep  3  2016 gpg2
> -rwxr-xr-x  1 root   root     334260 Sep  3  2016 gpg-agent
> -rwxr-xr-x  1 root   root     148108 Sep  3  2016 gpgconf
> -rwxr-xr-x  1 root   root     165508 Sep  3  2016 gpg-connect-agent
> -rwxr-xr-x  1 root   root      38144 Sep  3  2016 gpgkey2ssh
> -rwxr-xr-x  1 root   root      25908 Sep  3  2016 gpgparsemail
> -rwxr-xr-x  1 root   root      59104 Sep  3  2016 gpgsplit
> -rwxr-xr-x  1 root   root     407820 Sep  3  2016 gpgv
> -rwxr-xr-x  1 root   root       3303 Sep  3  2016 gpg-zip
>
> Are they enough or no, for  verifying integrity of packages?

more recent versions of debian will use gpgv for verifying integrity of
downloaded system packages, and do not need gpg itself for this purpose.

If you want to verify packages signed by other developers, you'll need
to get their keys, though, and that requires knowing their keys.

According to the versions at https://ftp.gnu.org/gnu/screen/, it looks
screen 4.5.1 has been signed with key
0x71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7, while the most recent
version of screen (4.6.0) has been signed with
0x2EE59A5D0C50167B5535BBF1B708A383C53EF3A4.

Which of these keys is a legitimate key to validate versions of screen?
I don't know!  They're both listed in
https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen
though, so perhaps they're both acceptable.


If you fetch the maintainers' file from savannah, and convert it into an
OpenPGP binary form, you should be able to validate the screen package
against it:

    wget -O screen-keys.asc 'https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen&download=1'
    gpg --dearmor < screen-keys.asc > screen-keys.gpg

    wget https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz.sig
    gpgv --keyring $(pwd)/screen-keys.gpg screen-4.5.1.tar.gz.sig screen-4.5.1.tar.gz


This should show you something like:

    gpgv: Signature made Sat 25 Feb 2017 10:50:15 AM EST
    gpgv:                using RSA key 71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7
    gpgv: Good signature from "Alexander Naumov <alexander_naumov at opensuse.org>"

Note, however, that you've only moved the responsibility from verifying
the package to verifying which keys actually are the legitimate keys for
the maintainers of GNU screen.  So it's a win, but it's not perfect.

hth,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170705/fb95ffd2/attachment.sig>

More information about the Gnupg-users mailing list