From: "Jason Pyeron" <jpyeron@pdinc.us>
To: <git@vger.kernel.org>
Cc: "'Brooke Kuhlmann'" <brooke@alchemists.io>
Subject: RE: How to Verify Git GPG Signed Downloads?
Date: Sun, 24 Jan 2021 12:57:13 -0500 [thread overview]
Message-ID: <022601d6f27a$58a97200$09fc5600$@pdinc.us> (raw)
In-Reply-To: <B6DFB74D-A722-4DBD-A4B2-562604B21CCB@alchemists.io>
> From: Brooke Kuhlmann
> Sent: Sunday, January 24, 2021 11:49 AM
>
> Hello, I'm trying to figure out how to obtain the public key used to
> encrypt
Do you mean sign?
> the Git file
> downloads. I put together a gist that explains the problem and question in detail here:
>
> https://gist.github.com/bkuhlmann/684b74d25d83d52df8d0caeb6219aa15
Please don’t post links to questions, pasting your content inline here:
> Problem
> When attempting to download a Git version, it would be nice to verify the signature of the download by running the following:
>
> curl --remote-name https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.30.0.tar.gz
> curl --remote-name https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.30.0.tar.sign
> gpg --verify git-2.30.0.tar.sign git-2.30.0.tar.gz
> Only problem is that the last line of the above throws the following error:
>
> gpg: Signature made Sun Dec 27 23:12:30 2020 MST
> gpg: using RSA key E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB
> gpg: Can't check signature: No public key
> I tried using the following solutions to no avail:
$ gpg --recv-keys 96AFE6CB
gpg: requesting key 96AFE6CB from hkp server keys.gnupg.net
gpg: key 713660A7: "Junio C Hamano <gitster@pobox.com>" 59 new signatures
gpg: key 713660A7: "Junio C Hamano <gitster@pobox.com>" 2 new subkeys
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: new subkeys: 2
gpg: new signatures: 59
$ gpg --verify -v git-2.30.0.tar.sign git-2.30.0.tar.gz
gpg: Signature made Mon Dec 28 01:12:30 2020 EST using RSA key ID 96AFE6CB
gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
gpg: using subkey 96AFE6CB instead of primary key 713660A7
gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
gpg: using PGP trust model
gpg: BAD signature from "Junio C Hamano <gitster@pobox.com>"
gpg: binary signature, digest algorithm SHA256
$ gpg --list-keys -v 96AFE6CB
gpg: using PGP trust model
gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
pub 4096R/713660A7 2011-10-01
uid Junio C Hamano <gitster@pobox.com>
uid Junio C Hamano <junio@pobox.com>
uid Junio C Hamano <jch@google.com>
sub 4096R/96AFE6CB 2011-10-03 [expired: 2020-07-26]
sub 4096R/833262C4 2011-10-01
sub 4096R/B3F7CAC9 2014-09-20 [expired: 2020-07-26]
It is possible that Junio forgot to push his refreshed public key.
>
> gpg --locate-keys torvalds@kernel.org gregkh@kernel.org committer@example.com discord@example.net gitster@pobox.com
> gpg --import <file> # <= Need a file to import but where does one obtain the public key?
> I also tried importing only the public keys from the Git repository via the following files without any luck either:
>
> t/lib-gpg/keyring.gpg
> contrib/credential/netrc/test.git-config-gpg
> contrib/credential/netrc/test.netrc.gpg
> contrib/credential/netrc/test.command-option-gpg
> Question
> How does one figure out how to obtain the public keys for which the Git downloads were signed?
>
> If anyone has any advice on how to make this possible, it would be greatly appreciated.
>
> Thanks,
> Brooke
>
next prev parent reply other threads:[~2021-01-24 17:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-24 16:49 How to Verify Git GPG Signed Downloads? Brooke Kuhlmann
2021-01-24 17:57 ` Jason Pyeron [this message]
2021-01-24 21:33 ` brian m. carlson
2021-01-24 22:24 ` Jason Pyeron
2021-01-25 1:03 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='022601d6f27a$58a97200$09fc5600$@pdinc.us' \
--to=jpyeron@pdinc.us \
--cc=brooke@alchemists.io \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.