You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2017-07-24 15:56:26
- soaringowl2145
- Member
- Registered: 2016-12-17
- Posts: 49
[SOLVED] Is this the correct signing key?
gpg --verify archlinux-2017.07.01-x86_64.iso.sig
gpg: assuming signed data in 'archlinux-2017.07.01-x86_64.iso'
gpg: Signature made Sat Jul 1 03:19:25 2017 EDT
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Can't check signature: No public key
I am curious about the key that it says it was signed with. On Debian it says the signing key is: 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
But on KNOPPIX it says: 9741E8AC
So, is the key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC fine?
Last edited by soaringowl2145 (2017-07-25 22:02:27)
Offline
#2 2017-07-24 16:20:45
- Xyne
- Administrator/PM
- Registered: 2008-08-03
- Posts: 6,963
- Website
Re: [SOLVED] Is this the correct signing key?
On Debian it says the signing key is: 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC But on KNOPPIX it says: 9741E8ACSo, is the key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC fine?
Yep, that's Pierre's key. The full fingerprint is usually used as an ID but sometimes only the last 8 digits are used instead.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
#3 2017-07-25 22:01:18
- soaringowl2145
- Member
- Registered: 2016-12-17
- Posts: 49
Re: [SOLVED] Is this the correct signing key?
Thank you!
Offline
#4 2017-07-25 22:10:57
- mpan
- Member
- Registered: 2012-08-01
- Posts: 1,200
- Website
Re: [SOLVED] Is this the correct signing key?
A side note: you should not use only the last 32 bits (8 hexadecimal digits) for working with keys. Use either the full fingerprints or at least the 64-bit IDs.
32-bit ones are effectively dead, with collisions obtainable within dozens of seconds and fake keys of Linux devs already found in the wild. All up-to-date software should have dropped the 32-bit IDs, so on Arch Linux the issue is usually solved, but if you use other operating systems with outdated programs, you should be aware of the problem.
Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
#5 2017-07-25 22:23:30
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: [SOLVED] Is this the correct signing key?
Yeah, you'll probably want to make sure your gpg binary uses --with-fingerprint --keyid-format long by default (e.g. set these options in your ~/.gnupg/gpg.conf).
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
Pages: 1