当前位置：文江博客话题详情

在哪里可以找到 Gnu Emacs 的公钥？

发布于 2024-11-01 20:49:10 字数 369 浏览 1 评论 0原文

我从23.1到23.3使用emacs才半年。

每次我尝试为 emacs 查找 gpg 公钥，以便可以使用每个新版本发布的 tar.gz.sig 检查 tar.gz 包时，我都失败了。

看来我应该先获取公钥，我搜索了emacs的网站，但没有找到标志...

我只能在邮件列表中找到SHA1校验和 http://lists.gnu.org/archive /html/info-gnu-emacs/2011-03/msg00000.html 进行完整性检查

我该怎么做？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

感性 2024-11-08 20:49:10

如果您尝试使用以下命令验证签名

gpg --verify <pkg>.key

，您将得到如下输出：

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Can't check signature: No public key

The key ID you are waiting for is BE216115，因此您要求 gpg 使用以下命令检索它：

gpg --recv-keys BE216115

这会导致以下结果：我的安装：

gpg: requesting key BE216115 from hkp server keys.gnupg.net
gpg: key BE216115: public key "Francesco Potortì <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: depth: 2  valid:   6  signed:   1  trust: 0-, 0q, 0n, 6m, 0f, 0u
gpg: Total number processed: 1
gpg:               imported: 1

现在，您可以验证它。但由于您尚未对此密钥分配任何信任，因此输出将是：

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Good signature from "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4B02 6187 5C03 D6B1 2E31  7666 09DF 2DC9 BE21 6115

因此，您将知道签名是有效的，但您不信任公钥。您可以使用以下方式信任或签署公钥：

gpg --edit-key BE216115

在命令提示符中键入 help 以查看所有可用选项。有关更多信息，请参阅使用 GNU Privacy Guard

If you try to verify the signature using

gpg --verify <pkg>.key

you'll get an output like the following:

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Can't check signature: No public key

The key ID you are looking for is BE216115, so you ask gpg to retrieve it using:

gpg --recv-keys BE216115

Which resulted in the following on my installation:

gpg: requesting key BE216115 from hkp server keys.gnupg.net
gpg: key BE216115: public key "Francesco Potortì <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: depth: 2  valid:   6  signed:   1  trust: 0-, 0q, 0n, 6m, 0f, 0u
gpg: Total number processed: 1
gpg:               imported: 1

Now, you can verify it. But since you haven't assigned any trust to this key, the output will be:

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Good signature from "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4B02 6187 5C03 D6B1 2E31  7666 09DF 2DC9 BE21 6115

So, you will know that the signature is valid, but you are not trusting the public key. You can trust or sign the public key using:

gpg --edit-key BE216115

In the command prompt type help to see all the available options. For further information, see Using the GNU Privacy Guard

回复收藏 0 原文

起风了 2024-11-08 20:49:10

GNU 密钥环位于 https://ftp.gnu.org/gnu/gnu-keyring。 gpg

您可以在本地导入它们（下载后）

gpg --import gnu-keyring.gpg

The GNU keyring is at https://ftp.gnu.org/gnu/gnu-keyring.gpg

You can import them locally (after downloading) with

gpg --import gnu-keyring.gpg

回复收藏 0 原文

请你别敷衍 2024-11-08 20:49:10

GNU FTP 服务器的根级别有一个 README 文件，它解释了如何使用签名。

请参阅 https://ftp.gnu.org/README 了解最新版本。

当前文件说：

There are also .sig files, which contain detached GPG signatures of the above
files, automatically signed by the same script that generates them.

You can verify the signatures for gnu project files with the keyring file from:
  https://ftp.gnu.org/gnu/gnu-keyring.gpg

In a directory with the keyring file, the source file to verify and the
signature file, the command to use is:

  $ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig

There is a README file at the root level of the GNU FTP server which explains how to use the signatures.

See https://ftp.gnu.org/README for the up-to-date version.

The current file says:

There are also .sig files, which contain detached GPG signatures of the above
files, automatically signed by the same script that generates them.

You can verify the signatures for gnu project files with the keyring file from:
  https://ftp.gnu.org/gnu/gnu-keyring.gpg

In a directory with the keyring file, the source file to verify and the
signature file, the command to use is:

  $ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig

回复收藏 0 原文

凉城凉梦凉人心 2024-11-08 20:49:10

@vhallac 的答案现已过时（我正在尝试验证 emacs-24.4 下载）。如果您不想下载并导入整个 GNU 密钥环（如 @JSON 所讨论的），这里有一种方法可以完成此任务。在这个答案中，我将展示今天有效的方法，以及如何找出一年后有效的方法。

首先下载 emacs 及其 .sig 文件。我有：

$ ls | grep emacs
emacs-24.4.tar.xz
emacs-24.4.tar.xz.sig

假设您已经安装了 gpg，请尝试验证它：

$ gpg --verify emacs-24.4.tar.xz.sig 
gpg: Signature made Mon 20 Oct 2014 02:58:21 PM EDT using RSA key ID A0B0F199
gpg: Can't check signature: public key not found

在这次尝试中，它失败了（您将在本文末尾看到一次成功的尝试）。我没有公钥。输出告诉您需要获取哪个公钥：A0B0F199。（这是将来最有可能改变的事情。）

因此，我尝试使用默认命令下载它：

$ gpg --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
(...hangs here...)

它只是挂起。那是因为我的 ufw（我的 Linux 防火墙软件）阻止了大多数端口。您可以告诉 gpg 使用端口 80，如下所示：

$ gpg --keyserver hkp://keys.gnupg.net:80 --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
gpgkeys: key A0B0F199 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

它通过了防火墙，但失败了，因为由于某种原因，Emacs/FSF 密钥不再存储在 gnupg 服务器上。因此，我尝试了我所知道的其他密钥服务器，并且有一定程度的信任：

$ gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server pool.sks-keyservers.net
gpg: key A0B0F199: public key "Glenn Morris <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

好的，它有效。现在检查一下：

$ gpg --list-keys
...
pub   2048R/A0B0F199 2012-12-23 [expires: 2015-12-23]
uid                  Glenn Morris <[email protected]>
sub   2048R/951C59EC 2012-12-23 [expires: 2015-12-23]

是的，明白了。

现在我可以验证下载的 emacs tarball：

$ gpg --verify emacs-24.4.tar.xz.sig 
gpg: Signature made Mon 20 Oct 2014 02:58:21 PM EDT using RSA key ID A0B0F199
gpg: Good signature from "Glenn Morris <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B294 26DE FB07 724C 3C35  E5D3 6592 E9A3 A0B0 F199

签名“良好”，但不可信。有关如何信任该密钥的信息，请参阅其他答案。

The answer from @vhallac is now out of date (I'm trying to verify an emacs-24.4 download). If you don't want to download and import the entire GNU keyring (as @JSON discussed), here's a way to get this done. In this answer I'll show what works today but also how to figure out what will work a year from now.

First download emacs and its .sig file. I have:

$ ls | grep emacs
emacs-24.4.tar.xz
emacs-24.4.tar.xz.sig

Assuming you already have gpg installed, try to verify it:

$ gpg --verify emacs-24.4.tar.xz.sig 
gpg: Signature made Mon 20 Oct 2014 02:58:21 PM EDT using RSA key ID A0B0F199
gpg: Can't check signature: public key not found

In this attempt, it fails (you'll see a successful attempt at the end of this post). I don't have the public key. The output tells you which public key you need to obtain: A0B0F199. (This is the thing that will most likely change in the future.)

So I then try to download it with the default command:

$ gpg --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
(...hangs here...)

It just hangs. That's because I have ufw (my Linux firewall software) blocking most ports. You can tell gpg to use port 80, like so:

$ gpg --keyserver hkp://keys.gnupg.net:80 --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
gpgkeys: key A0B0F199 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

That got through the firewall, but fails because, for some reason, the Emacs/FSF keys are no longer being stored on the gnupg server. So I tried the other keyserver I know about and have some level of trust of:

$ gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server pool.sks-keyservers.net
gpg: key A0B0F199: public key "Glenn Morris <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

OK, it worked. Now check it:

$ gpg --list-keys
...
pub   2048R/A0B0F199 2012-12-23 [expires: 2015-12-23]
uid                  Glenn Morris <[email protected]>
sub   2048R/951C59EC 2012-12-23 [expires: 2015-12-23]

Yep, got it.

Now I can verify the downloaded emacs tarball:

$ gpg --verify emacs-24.4.tar.xz.sig 
gpg: Signature made Mon 20 Oct 2014 02:58:21 PM EDT using RSA key ID A0B0F199
gpg: Good signature from "Glenn Morris <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B294 26DE FB07 724C 3C35  E5D3 6592 E9A3 A0B0 F199

The signature is "good", but not trusted. See the other answers for how to trust that key.

回复收藏 0 原文

小帐篷 2024-11-08 20:49:10

Emacs 需要更新包 gnu-elpa-keyring-update。但是...如果没有更新的 gnu-elpa-keyring-update 软件包，您将无法做到这一点。

因此，有必要执行以下操作：

禁用检查包和包存档的签名，并将 package-check-signature 设置为 nil。
安装包gnu-elpa-keyring-update。
恢复package-check-signature变量值。

来自我的 init.el 的代码（在设置包存档之后添加，但在使用 use-package 或其他工具安装任何包之前添加）：

(add-to-list 'package-pinned-packages '("gnu-elpa-keyring-update" . "gnu"))

(unless (package-installed-p 'gnu-elpa-keyring-update)
  ;; Save default value of `package-check-signature' variable
  (defvar package-check-signature-default package-check-signature)

  ;; Disable signature checking
  (setq package-check-signature nil)

  ;; Download package archives (without signature checking)
  (package-refresh-contents)

  ;; Install package `gnu-elpa-keyring-update' (without signature checking)
  (package-install 'gnu-elpa-keyring-update t)

  ;; Restore `package-check-signature' value to default.
  (setq package-check-signature package-check-signature-default))

Emacs need update package gnu-elpa-keyring-update. But... without updated gnu-elpa-keyring-update package you can't do it.

For this reason, it is necessary to do the following:

Disable checking signature of packages and package archive with settings package-check-signature to nil.
Install package gnu-elpa-keyring-update.
Restore package-check-signature variable value.

Code from my init.el (add after setting package archives, but before installing any package with use-package or another tools):

(add-to-list 'package-pinned-packages '("gnu-elpa-keyring-update" . "gnu"))

(unless (package-installed-p 'gnu-elpa-keyring-update)
  ;; Save default value of `package-check-signature' variable
  (defvar package-check-signature-default package-check-signature)

  ;; Disable signature checking
  (setq package-check-signature nil)

  ;; Download package archives (without signature checking)
  (package-refresh-contents)

  ;; Install package `gnu-elpa-keyring-update' (without signature checking)
  (package-install 'gnu-elpa-keyring-update t)

  ;; Restore `package-check-signature' value to default.
  (setq package-check-signature package-check-signature-default))

回复收藏 0 原文

~没有更多了~