I am planning on building Geany 1.36 following my upgrade to Debian buster. I have downloaded the source file tarballs fron geany.org and plugins.geany.org.
The instruction for importing the geany-plugins key produced: ~$ gpg --recv-keys B507ACD04BA283C9 gpg: keybox '/home/geoff/.gnupg/pubring.kbx' created gpg: key B507ACD04BA283C9: new key but contains no user ID - skipped gpg: Total number processed: 1 gpg: w/o user IDs: 1
Importing the key for geany gave a similar result: ~$ gpg --import < colombanw-pubkey.txt gpg: key 24CCD8550E5D1CAE: 3 signatures not checked due to missing keys gpg: /home/geoff/.gnupg/trustdb.gpg: trustdb created gpg: key 24CCD8550E5D1CAE: public key "Colomban Wendling ban@ban.netlib.re" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
In the light of the above messages, I did not try the gpg --verify command.
What should I do to proceed?
Geoff
33 Ashbury Close, Cambridge CB1 3RW 01223 710582
I'm not a gpg expert, but have you got your keyserver set up right?
Cheers Lex
On Fri, 21 Aug 2020 at 06:15, Geoff Kaniuk geoff@kaniuk.co.uk wrote:
I am planning on building Geany 1.36 following my upgrade to Debian buster. I have downloaded the source file tarballs fron geany.org and plugins.geany.org.
The instruction for importing the geany-plugins key produced: ~$ gpg --recv-keys B507ACD04BA283C9 gpg: keybox '/home/geoff/.gnupg/pubring.kbx' created gpg: key B507ACD04BA283C9: new key but contains no user ID - skipped gpg: Total number processed: 1 gpg: w/o user IDs: 1
Importing the key for geany gave a similar result: ~$ gpg --import < colombanw-pubkey.txt gpg: key 24CCD8550E5D1CAE: 3 signatures not checked due to missing keys gpg: /home/geoff/.gnupg/trustdb.gpg: trustdb created gpg: key 24CCD8550E5D1CAE: public key "Colomban Wendling ban@ban.netlib.re" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
In the light of the above messages, I did not try the gpg --verify command.
What should I do to proceed?
Geoff
33 Ashbury Close, Cambridge CB1 3RW 01223 710582 _______________________________________________ Users mailing list Users@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/users
I certainly thought I had, as I am able to connect to remote servers - but clearly that seems to be irrelevant here.
I have spent some time looking for a step by step guide on how to use gpg to verify downloaded software. I confess that I did not realise I needed to set up a local keyserver.
I have a $HOME/.gnupg which was created yesterday with mainly new files created but one old empty directory private-keys-v1.d
The command ~$ gpg --list-keys produced 3 uid from Colomban Wendling, all expired.
The command ~$ gpg --list-sigs again produced 3 items for Colomban Wendling all expired with dates set to 2015-03-12.
I can of course supply full details if that is of interest.
What I would really appreciate is some direction where to look to find a simple guide to configuring my gpg to verify files from Geany.
Geoff
33 Ashbury Close, Cambridge CB1 3RW 01223 710582
On 20/08/2020 23:32, Lex Trotman wrote:
I'm not a gpg expert, but have you got your keyserver set up right?
Cheers Lex
On Fri, 21 Aug 2020 at 06:15, Geoff Kaniuk geoff@kaniuk.co.uk wrote:
I am planning on building Geany 1.36 following my upgrade to Debian buster. I have downloaded the source file tarballs fron geany.org and plugins.geany.org.
The instruction for importing the geany-plugins key produced: ~$ gpg --recv-keys B507ACD04BA283C9 gpg: keybox '/home/geoff/.gnupg/pubring.kbx' created gpg: key B507ACD04BA283C9: new key but contains no user ID - skipped gpg: Total number processed: 1 gpg: w/o user IDs: 1
Importing the key for geany gave a similar result: ~$ gpg --import < colombanw-pubkey.txt gpg: key 24CCD8550E5D1CAE: 3 signatures not checked due to missing keys gpg: /home/geoff/.gnupg/trustdb.gpg: trustdb created gpg: key 24CCD8550E5D1CAE: public key "Colomban Wendling ban@ban.netlib.re" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
In the light of the above messages, I did not try the gpg --verify command.
What should I do to proceed?
Geoff
33 Ashbury Close, Cambridge CB1 3RW 01223 710582 _______________________________________________ Users mailing list Users@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/users
The report from several posts on stack exchange for gpg verification seem to suggest that first time round things do fail.
I have now run: ~$ gpg --verify geany-1.36.tar.gz.sig geany-1.36.tar.gz gpg: Signature made Sat 28 Sep 2019 13:50:49 BST gpg: using RSA key ACA0246889FB96B63382111724CCD8550E5D1CAE gpg: Good signature from "Colomban Wendling ban@ban.netlib.re" [expired] gpg: aka "Colomban Wendling ban@herbesfolles.org" [expired] gpg: aka "Colomban Wendling lists.ban@herbesfolles.org" [expired] gpg: Note: This key has expired! Primary key fingerprint: ACA0 2468 89FB 96B6 3382 1117 24CC D855 0E5D 1CAE ~$ echo $? 0
Given that I have received a "Good Signature" message and a return code of zero, I guess the file is perfect?
The md5sum for the plugins also checks out OK.
Geoff
33 Ashbury Close, Cambridge CB1 3RW 01223 710582
On 21/08/2020 14:44, Geoff Kaniuk wrote:
On 21.08.20 19:14, Geoff Kaniuk wrote:
The report from several posts on stack exchange for gpg verification seem to suggest that first time round things do fail.
I have now run: ~$ gpg --verify geany-1.36.tar.gz.sig geany-1.36.tar.gz gpg: Signature made Sat 28 Sep 2019 13:50:49 BST gpg: using RSA key ACA0246889FB96B63382111724CCD8550E5D1CAE gpg: Good signature from "Colomban Wendling ban@ban.netlib.re" [expired] gpg: aka "Colomban Wendling ban@herbesfolles.org" [expired] gpg: aka "Colomban Wendling lists.ban@herbesfolles.org" [expired] gpg: Note: This key has expired! Primary key fingerprint: ACA0 2468 89FB 96B6 3382 1117 24CC D855 0E5D 1CAE ~$ echo $? 0
Given that I have received a "Good Signature" message and a return code of zero, I guess the file is perfect?
Yepp. Only it was done with a key that is not valid anymore. It's up to you whether you still trust it or not.
The md5sum for the plugins also checks out OK.
We should ban md5 to somewhere far far far away :D
.f
On 20.08.20 22:15, Geoff Kaniuk wrote:
I am planning on building Geany 1.36 following my upgrade to Debian buster. I have downloaded the source file tarballs fron geany.org and plugins.geany.org.
The instruction for importing the geany-plugins key produced: ~$ gpg --recv-keys B507ACD04BA283C9 gpg: keybox '/home/geoff/.gnupg/pubring.kbx' created gpg: key B507ACD04BA283C9: new key but contains no user ID - skipped gpg: Total number processed: 1 gpg: w/o user IDs: 1
This is actually my key and this one is uploaded to keyservers:
$ LANG=C gpg --finger B507ACD04BA283C9 pub rsa4096 2018-04-04 [SCA] [expired: 2020-04-03] 6D0E 68FC E198 824C 27C9 0EB0 B507 ACD0 4BA2 83C9 uid [ expired] Frank Lanitz frank@lanitz.info uid [ expired] Frank Lanitz frank@mxsrv.org uid [ expired] Frank Lanitz frank@geany.org uid [ expired] Frank Lanitz frlan@fsfe.org uid [ expired] Frank Lanitz frank.lanitz@seznam.cz uid [ expired] Frank Lanitz frank@frank.uvena.de
But meanwhile expired. Anyway I've added it to that mail.
Cheers, Frank
I have tried the key you sent me: ------------------------------------------------------------------------ ~$ gpg --recv-keys B507ACD04BA283C9.asc gpg: "B507ACD04BA283C9.asc" not a key ID: skipping
~$ gpg --import B507ACD04BA283C9.asc gpg: key B507ACD04BA283C9: 138 signatures not checked due to missing keys gpg: key B507ACD04BA283C9: public key "Frank Lanitz frank@lanitz.info" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
So I am still at a loss as to what the key issue really is!
I have also run the plugin verify again, and this time get ~$ gpg --verify geany-plugins-1.36.tar.gz.sig geany-plugins-1.36.tar.gz gpg: Signature made Sat 28 Sep 2019 14:43:54 BST gpg: using RSA key 6D0E68FCE198824C27C90EB0B507ACD04BA283C9 gpg: Good signature from "Frank Lanitz frank@lanitz.info" [expired] gpg: aka "Frank Lanitz frank@mxsrv.org" [expired] gpg: aka "Frank Lanitz frank@geany.org" [expired] gpg: aka "Frank Lanitz frlan@fsfe.org" [expired] gpg: aka "Frank Lanitz frank.lanitz@seznam.cz" [expired] gpg: aka "Frank Lanitz frank@frank.uvena.de" [expired] gpg: Note: This key has expired! Primary key fingerprint: 6D0E 68FC E198 824C 27C9 0EB0 B507 ACD0 4BA2 83C9 ------------------------------------------------------------------------
By the way the key you sent has the format:
B507ACD04BA283C9.asc ======================================================================== -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF ... ... LqGnsF6TxzGwPm8R6w40V5I67rfdbQ== =YjsN -----END PGP PUBLIC KEY BLOCK----- ========================================================================
Am I using the correct command to import the key?
It would be good to solve this issue, seeing you have taken the trouble to create the verification process!
Geoff
33 Ashbury Close, Cambridge CB1 3RW 01223 710582
On 21/08/2020 21:45, Frank Lanitz wrote:
On 20.08.20 22:15, Geoff Kaniuk wrote:
I am planning on building Geany 1.36 following my upgrade to Debian buster. I have downloaded the source file tarballs fron geany.org and plugins.geany.org.
The instruction for importing the geany-plugins key produced: ~$ gpg --recv-keys B507ACD04BA283C9 gpg: keybox '/home/geoff/.gnupg/pubring.kbx' created gpg: key B507ACD04BA283C9: new key but contains no user ID - skipped gpg: Total number processed: 1 gpg: w/o user IDs: 1
This is actually my key and this one is uploaded to keyservers:
$ LANG=C gpg --finger B507ACD04BA283C9 pub rsa4096 2018-04-04 [SCA] [expired: 2020-04-03] 6D0E 68FC E198 824C 27C9 0EB0 B507 ACD0 4BA2 83C9 uid [ expired] Frank Lanitz frank@lanitz.info uid [ expired] Frank Lanitz frank@mxsrv.org uid [ expired] Frank Lanitz frank@geany.org uid [ expired] Frank Lanitz frlan@fsfe.org uid [ expired] Frank Lanitz frank.lanitz@seznam.cz uid [ expired] Frank Lanitz frank@frank.uvena.de
But meanwhile expired. Anyway I've added it to that mail.
Cheers, Frank
Users mailing list Users@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/users
Hello,
On 22.08.20 13:41, Geoff Kaniuk wrote:
~$ gpg --import B507ACD04BA283C9.asc gpg: key B507ACD04BA283C9: 138 signatures not checked due to missing keys gpg: key B507ACD04BA283C9: public key "Frank Lanitz frank@lanitz.info" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
So I am still at a loss as to what the key issue really is!
Since the last release the key expired. This is a normal thing -- as you should not use GPG-keys without any expiration date (IMHO). So this key was expired back in April this year. So this is totally fine and will not have any impact on verifying the signature (as you are downloading a key based on information you got from the same source as the item you want to verify it's a weak protection anyway -- but better than none). You can still check whether this file was singed with the key -- only you should not trust the key itself anymore -- so _maybe_ it was revoked due to somebody copied it or for any other reasons. Here, and you have to trust into my word, the key just expired. I don't have any knowledge of misuse of the key etc as well as the key with 4096 RSA is not a weak one. That's why I don't think we need to regenerate the signature.
I have also run the plugin verify again, and this time get ~$ gpg --verify geany-plugins-1.36.tar.gz.sig geany-plugins-1.36.tar.gz gpg: Signature made Sat 28 Sep 2019 14:43:54 BST gpg: using RSA key 6D0E68FCE198824C27C90EB0B507ACD04BA283C9 gpg: Good signature from "Frank Lanitz frank@lanitz.info" [expired] gpg: aka "Frank Lanitz frank@mxsrv.org" [expired] gpg: aka "Frank Lanitz frank@geany.org" [expired] gpg: aka "Frank Lanitz frlan@fsfe.org" [expired] gpg: aka "Frank Lanitz frank.lanitz@seznam.cz" [expired] gpg: aka "Frank Lanitz frank@frank.uvena.de" [expired] gpg: Note: This key has expired! Primary key fingerprint: 6D0E 68FC E198 824C 27C9 0EB0 B507 ACD0 4BA2 83C9
Looks good for me.
By the way the key you sent has the format:
B507ACD04BA283C9.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF ... ... LqGnsF6TxzGwPm8R6w40V5I67rfdbQ== =YjsN
-----END PGP PUBLIC KEY BLOCK-----
Yes. This is the typical format for exchanging PGP-keys when using the ASCII-encoding. Something similar is used for SSH-Keys (OpenPGP-format) or SSL-certificates. When using gpg --recv-keys the tool is downioading about that from the keyservers, too.
Am I using the correct command to import the key?
Yes.
It would be good to solve this issue, seeing you have taken the trouble to create the verification process!
Why do you think so?
Cheers, Frank
Many thanks for your detailed response. I had thought the default for the pgp key generator was to have no expiry date, but perhaps that is regarded as too risky?
I am happy that everything looks good and I can trust the signature and key. I now look forward to building geany and plugins ;)
Regards,
Geoff
33 Ashbury Close, Cambridge CB1 3RW 01223 710582
On 22/08/2020 16:01, Frank Lanitz wrote:
Hello,
On 22.08.20 13:41, Geoff Kaniuk wrote:
~$ gpg --import B507ACD04BA283C9.asc gpg: key B507ACD04BA283C9: 138 signatures not checked due to missing keys gpg: key B507ACD04BA283C9: public key "Frank Lanitz frank@lanitz.info" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
So I am still at a loss as to what the key issue really is!
Since the last release the key expired. This is a normal thing -- as you should not use GPG-keys without any expiration date (IMHO). So this key was expired back in April this year. So this is totally fine and will not have any impact on verifying the signature (as you are downloading a key based on information you got from the same source as the item you want to verify it's a weak protection anyway -- but better than none). You can still check whether this file was singed with the key -- only you should not trust the key itself anymore -- so _maybe_ it was revoked due to somebody copied it or for any other reasons. Here, and you have to trust into my word, the key just expired. I don't have any knowledge of misuse of the key etc as well as the key with 4096 RSA is not a weak one. That's why I don't think we need to regenerate the signature.
I have also run the plugin verify again, and this time get ~$ gpg --verify geany-plugins-1.36.tar.gz.sig geany-plugins-1.36.tar.gz gpg: Signature made Sat 28 Sep 2019 14:43:54 BST gpg: using RSA key 6D0E68FCE198824C27C90EB0B507ACD04BA283C9 gpg: Good signature from "Frank Lanitz frank@lanitz.info" [expired] gpg: aka "Frank Lanitz frank@mxsrv.org" [expired] gpg: aka "Frank Lanitz frank@geany.org" [expired] gpg: aka "Frank Lanitz frlan@fsfe.org" [expired] gpg: aka "Frank Lanitz frank.lanitz@seznam.cz" [expired] gpg: aka "Frank Lanitz frank@frank.uvena.de" [expired] gpg: Note: This key has expired! Primary key fingerprint: 6D0E 68FC E198 824C 27C9 0EB0 B507 ACD0 4BA2 83C9
Looks good for me.
By the way the key you sent has the format:
B507ACD04BA283C9.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF ... ... LqGnsF6TxzGwPm8R6w40V5I67rfdbQ== =YjsN
-----END PGP PUBLIC KEY BLOCK-----
Yes. This is the typical format for exchanging PGP-keys when using the ASCII-encoding. Something similar is used for SSH-Keys (OpenPGP-format) or SSL-certificates. When using gpg --recv-keys the tool is downioading about that from the keyservers, too.
Am I using the correct command to import the key?
Yes.
It would be good to solve this issue, seeing you have taken the trouble to create the verification process!
Why do you think so?
Cheers, Frank _______________________________________________ Users mailing list Users@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/users