Fwd: which program use: gpg or gpgv?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Jul 6 02:56:56 CEST 2017
On Tue 2017-07-04 16:40:17 -0400, fuflono--- via Gnupg-users wrote:
> my Debian8.8 has the programs about gpg:
> -rwxr-xr-x 1 root root 1128700 Sep 3 2016 gpg
> -rwxr-xr-x 1 root root 913236 Sep 3 2016 gpg2
> -rwxr-xr-x 1 root root 334260 Sep 3 2016 gpg-agent
> -rwxr-xr-x 1 root root 148108 Sep 3 2016 gpgconf
> -rwxr-xr-x 1 root root 165508 Sep 3 2016 gpg-connect-agent
> -rwxr-xr-x 1 root root 38144 Sep 3 2016 gpgkey2ssh
> -rwxr-xr-x 1 root root 25908 Sep 3 2016 gpgparsemail
> -rwxr-xr-x 1 root root 59104 Sep 3 2016 gpgsplit
> -rwxr-xr-x 1 root root 407820 Sep 3 2016 gpgv
> -rwxr-xr-x 1 root root 3303 Sep 3 2016 gpg-zip
> Are they enough or no, for verifying integrity of packages?
more recent versions of debian will use gpgv for verifying integrity of
downloaded system packages, and do not need gpg itself for this purpose.
If you want to verify packages signed by other developers, you'll need
to get their keys, though, and that requires knowing their keys.
According to the versions at https://ftp.gnu.org/gnu/screen/, it looks
screen 4.5.1 has been signed with key
0x71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7, while the most recent
version of screen (4.6.0) has been signed with
Which of these keys is a legitimate key to validate versions of screen?
I don't know! They're both listed in
though, so perhaps they're both acceptable.
If you fetch the maintainers' file from savannah, and convert it into an
OpenPGP binary form, you should be able to validate the screen package
wget -O screen-keys.asc 'https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen&download=1'
gpg --dearmor < screen-keys.asc > screen-keys.gpg
wget https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz.sig
gpgv --keyring $(pwd)/screen-keys.gpg screen-4.5.1.tar.gz.sig screen-4.5.1.tar.gz
This should show you something like:
gpgv: Signature made Sat 25 Feb 2017 10:50:15 AM EST
gpgv: using RSA key 71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7
gpgv: Good signature from "Alexander Naumov <alexander_naumov at opensuse.org>"
Note, however, that you've only moved the responsibility from verifying
the package to verifying which keys actually are the legitimate keys for
the maintainers of GNU screen. So it's a win, but it's not perfect.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 832 bytes
Desc: not available
More information about the Gnupg-users