On 10-Dec-2008, at 22:18, SM wrote:
At 20:39 10-12-2008, LuKreme wrote:
And the source of that number is, evidently, a complete mystery.
That's my point. I've seen lots of instructions like this:
# wget http://somesite.tld/somepath/GPG.KEY
# sudo sa-update --import GPG.KEY
# sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld
where the '0E28B3DC' has just magically appeared as if created from
the ether.
Once you have imported the key, you can use gpg --list-keys to find
the key ID.
AHA! That's the crucial step I was missing and no one seemed able to
provide. Thank You! There's progress at least:
I ssh to the server and then I sudo su (so I am sure I have discarded
my own login environment, I do not normally do this)
mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg
gpg: error reading key: No public key
At least on my FreeBSD, there's no man page for gpg, and the --help
doesn't point out anything obvious. if I run it without specifying a
file, I get this:
mail# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/11F63C51 2002-02-28
uid Jamie Cameron <[EMAIL PROTECTED]>
sub 1024g/1B24BE83 2002-02-28
By adding the key to the keychain, you are trusting it. The
security part is that you can verify whether the signer generated
the updates. Even if the host is compromised, you are "safe" as
long as the private key is secure and the signer still has your trust.
Riiight, but the public key I put in the keychain does all that, no?
I'm still unclear on how the --gpgkey makes it more secure. If the
file is signed, the signature is checked against the public key that I
have in pubring.gpg. What does the gpgkey do?
--
I want a party where all the women wear new dresses and all the men
drink beer. -- Jason Gaes
