At 13:51 10-12-2008, LuKreme wrote:
I read the man page, where there is no mention of how to obtain this
number. In fact, I read many posts, and many webpages and have still
not found that information. I've seen the IDs in others posts, sure,
but where do they originate?
sa-update uses GPG (GNU Privacy Guard) to verify the authenticity of
the updates. The Sought rules webpage mentions how to download the
GPG key. If you want to understand how GPG works or how to use GPG
keys, you should read the GPG documentation.
Even searching the wiki (which just links to the previously linked
http://taint.org/2007/08/15/004348a.html )is merely a "here's the
random-looking digits you pass to --gpgkey"
and not a "here's what the --gpgkey is, means, and how it's generated".
The gpgkey parameter for sa-update specifies which GPG key ID should
be trusted to sign the updates. You can use the gpg command to find
out what the key ID is. That's not a random number; it's a
hexadecimal number which identifies the key.
Why doesn't sa-learn simply trust the keys that are added to its
keychain without this extra (and at least for me, confusing) step? I'm
starting to think the simplest way to do this is just ignore the gpg
flags entirely and use --nogpg. What's the downside to this (other
than the obvious DNS hijacking to point the URL to some spammer site
with bad data which seems a remote enough chance to ignore).
Because sa-update is designed to provide updates in a secure way. If
you want the simplest way, you can ignore these steps and face the
consequences when something goes wrong.
Regards,
-sm
