Adding fingerprint to Emacs signature file?

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Adding fingerprint to Emacs signature file?

From:	Tadeus Prastowo
Subject:	Adding fingerprint to Emacs signature file?
Date:	Wed, 3 Nov 2021 04:50:05 +0100

Hi Eli!

When verifying the signature of an Emacs tarball using gpg with
--auto-key-retrieve, I encounter an error, which does not happen when
verifying the signature of a Linux kernel in the same manner, as
demonstrated below:

1. Test using Linux kernel.
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.xz
https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.sign
unxz < linux-5.11.tar.xz | gpg --keyserver
hkp://keyserver.ubuntu.com:80 --auto-key-retrieve --verify
linux-5.11.tar.sign -

The output of the last command is as follows:
gpg: Signature made Mon 15 Feb 2021 10:11:32 AM CET
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: requesting key 38DBBDC86092693E from hkp server keyserver.ubuntu.com
gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman
<gregkh@linuxfoundation.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Greg Kroah-Hartman
<gregkh@linuxfoundation.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman <gregkh@kernel.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable
release signing key) <greg@kroah.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

2. Test using Emacs.
wget  http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz.sig
http://mirror.kumi.systems/gnu/emacs/emacs-27.2.tar.xz
cat emacs-27.2.tar.xz  | gpg --keyserver hkp://keyserver.ubuntu.com:80
--auto-key-retrieve --verify emacs-27.2.tar.xz.sig -

The output of the last command is as follows:
gpg: Signature made Thu 25 Mar 2021 12:53:08 PM CET
gpg:                using RSA key 91C1262F01EB8D39
gpg: Can't check signature: No public key

I have raised the issue in the gnupg-users mailing list, which has
been responded as well:
https://lists.gnupg.org/pipermail/gnupg-users/2021-November/065542.html
and https://lists.gnupg.org/pipermail/gnupg-users/2021-November/065544.html

Would it be possible for future Emacs signature files to have the
issuer fingeprint as well?  Since I have not sought through the Emacs
mailing list archive, I am sorry if this issue has been raised in the
past.

Thank you.

-- 
Best regards,
Tadeus

[Prev in Thread]

Current Thread

[Next in Thread]

Adding fingerprint to Emacs signature file?, Tadeus Prastowo <=
- Re: Adding fingerprint to Emacs signature file?, Eli Zaretskii, 2021/11/03
  - Re: Adding fingerprint to Emacs signature file?, Stefan Monnier, 2021/11/03
    - Re: Adding fingerprint to Emacs signature file?, Eli Zaretskii, 2021/11/03

Prev by Date: Schematics in GNU Emacs (Symbols Library)
Next by Date: Help with Fontification
Previous by thread: Schematics in GNU Emacs (Symbols Library)
Next by thread: Re: Adding fingerprint to Emacs signature file?
Index(es):
- Date
- Thread