Forum: Too Lazy BBS

Who's Online
Recent Visitors
- Guest
  Tue Feb 4 01:00:14 2025
  from Nashville, Tn via Telnet
- Codefenix
  Thu Jan 30 18:53:44 2025
  from Canton, Oh via Telnet
- Rixter
  Thu Jan 30 08:47:04 2025
  from Madison, Nc via SSH
- Stern
  Sat Jan 25 20:33:42 2025
  from Davis, California via SSH

System Info

Sysop:	Amessyroom
Location:	Fayetteville, NC
Users:	43
Nodes:	6 (0 / 6)
Uptime:	94:25:12
Calls:	290
Calls today:	1
Files:	904
Messages:	76,378

checking upstream signed release

From Lorenzo@21:1/5 to All on Wed Oct 16 11:30:02 2024

Hello mentors,

upstream signed last release [1], and if I download the text and save
it as upstream.pgp.asc I can do

$ gpg --verify upstream.pgp.asc
gpg: Signature made Fri 27 Sep 2024 03:04:43 AM CEST
gpg: using RSA key DAC43860630556B6DBF0898FA5DAAEFCB14D13CC
gpg: Good signature from "Gerrit Pape <pape@debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DAC4 3860 6305 56B6 DBF0 898F A5DA AEFC B14D 13CC

I did a little search and it looks that, in order to automatically
verify upstream tarball, a file like [2] (?) is needed:
is there a way I can extract that info from upstream public key or do I
have to ask upstream to provide that info (I don't see it anywhere)?

Lorenzo

[1] https://smarden.org/runit/install
https://smarden.org/runit/sha256sum.asc

[2] https://salsa.debian.org/utopia-team/dbus/-/blob/debian/unstable/debian/upstream/signing-key.asc?ref_type=heads

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Nicolas Schodet@21:1/5 to All on Wed Oct 16 11:50:01 2024

* Lorenzo <plorenzo@disroot.org> [2024-10-16 11:19]:

Hello mentors,
upstream signed last release [1], and if I download the text and save
it as upstream.pgp.asc I can do
[...]
I did a little search and it looks that, in order to automatically
verify upstream tarball, a file like [2] (?) is needed:
is there a way I can extract that info from upstream public key or do I
have to ask upstream to provide that info (I don't see it anywhere)?

Hello Lorenzo,

You can extract the key after checking it’s correct, you can find some
help here:

https://www.debian.org/doc/manuals/debmake-doc/ch06.en.html#signing-key

Also, the exported key should be a minimal key, you may need to add "--export-options export-minimal" when exporting the key. I think there
is a lintian check for this.

Nicolas.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Lorenzo@21:1/5 to Nicolas Schodet on Wed Oct 16 13:50:01 2024

On Wed, 16 Oct 2024 11:35:31 +0200
Nicolas Schodet <nico@ni.fr.eu.org> wrote:

https://www.debian.org/doc/manuals/debmake-doc/ch06.en.html#signing-key

Nicolas,
thanks for this

Lorenzo

Also, the exported key should be a minimal key, you may need to add "--export-options export-minimal" when exporting the key. I think
there is a lintian check for this.

Nicolas.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)