Alex Kost <alez...@gmail.com> skribis: > Ludovic Courtès (2016-01-01 21:04 +0300) wrote: > >> I’ve amended that section of the manual based on text from the >> announcement (see >> <https://lists.gnu.org/archive/html/info-gnu/2015-11/msg00002.html>). >> Step 1 becomes: >> >> >> 1. Download the binary tarball from >> ‘ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz’, >> where SYSTEM is ‘x86_64-linux’ for an ‘x86_64’ machine already >> running the kernel Linux, and so on. >> >> Make sure to download the associated ‘.sig’ file and to verify the >> authenticity of the tarball against it, along these lines: >> >> $ wget >> ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.SYSTEM.tar.xz.sig >> $ gpg --verify guix-binary-0.9.0.SYSTEM.tar.xz.sig >> >> If that command fails because you don’t have the required public >> key, then run this command to import it: >> >> $ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5 > > Being a lazy user, my first question is: «What is this "3D9AEBB5" thing?
I would expect that the command together with the previous sentence suggest that 3D9AEBB5 identifies the key used to sign the package, no? > Hm, apparently it is some key, but what key? where did it come from? is > it from gnu.org or what? maybe it is for "keys.gnupg.net" server? OK, I > should read gpg manual to find it out… but I won't». And then I will > not check the signature because I trust the tarball from "gnu.org" but I > don't trust a thing that I don't understand. (I talk only for myself, > I think other people are more conscious users) > > I think it will be also good to explain what "3D9AEBB5" means. I would prefer to refer to a more complete document such as the GNU Privacy Handbook, but I don’t know what its current status is: https://www.gnupg.org/gph/en/manual.html#AEN136 Ludo’.
