On Tue 2017-07-04 16:40:17 -0400, fuflono--- via Gnupg-users wrote: > Hi, > my Debian8.8 has the programs about gpg: > > -rwxr-xr-x 1 root root 1128700 Sep 3 2016 gpg > -rwxr-xr-x 1 root root 913236 Sep 3 2016 gpg2 > -rwxr-xr-x 1 root root 334260 Sep 3 2016 gpg-agent > -rwxr-xr-x 1 root root 148108 Sep 3 2016 gpgconf > -rwxr-xr-x 1 root root 165508 Sep 3 2016 gpg-connect-agent > -rwxr-xr-x 1 root root 38144 Sep 3 2016 gpgkey2ssh > -rwxr-xr-x 1 root root 25908 Sep 3 2016 gpgparsemail > -rwxr-xr-x 1 root root 59104 Sep 3 2016 gpgsplit > -rwxr-xr-x 1 root root 407820 Sep 3 2016 gpgv > -rwxr-xr-x 1 root root 3303 Sep 3 2016 gpg-zip > > Are they enough or no, for verifying integrity of packages?
more recent versions of debian will use gpgv for verifying integrity of downloaded system packages, and do not need gpg itself for this purpose. If you want to verify packages signed by other developers, you'll need to get their keys, though, and that requires knowing their keys. According to the versions at https://ftp.gnu.org/gnu/screen/, it looks screen 4.5.1 has been signed with key 0x71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7, while the most recent version of screen (4.6.0) has been signed with 0x2EE59A5D0C50167B5535BBF1B708A383C53EF3A4. Which of these keys is a legitimate key to validate versions of screen? I don't know! They're both listed in https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen though, so perhaps they're both acceptable. If you fetch the maintainers' file from savannah, and convert it into an OpenPGP binary form, you should be able to validate the screen package against it: wget -O screen-keys.asc 'https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen&download=1' gpg --dearmor < screen-keys.asc > screen-keys.gpg wget https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz.sig gpgv --keyring $(pwd)/screen-keys.gpg screen-4.5.1.tar.gz.sig screen-4.5.1.tar.gz This should show you something like: gpgv: Signature made Sat 25 Feb 2017 10:50:15 AM EST gpgv: using RSA key 71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7 gpgv: Good signature from "Alexander Naumov <alexander_nau...@opensuse.org>" Note, however, that you've only moved the responsibility from verifying the package to verifying which keys actually are the legitimate keys for the maintainers of GNU screen. So it's a win, but it's not perfect. hth, --dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users