guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

03/03: website: packaging-tutorial: Add note about tarball authenticatio


From: Ludovic Courtès
Subject: 03/03: website: packaging-tutorial: Add note about tarball authentication.
Date: Wed, 10 Oct 2018 09:58:00 -0400 (EDT)

civodul pushed a commit to branch master
in repository guix-artwork.

commit 8b0d197ba1d46189941544a019bfe880382d2014
Author: Ludovic Courtès <address@hidden>
Date:   Wed Oct 10 15:52:25 2018 +0200

    website: packaging-tutorial: Add note about tarball authentication.
    
    * website/posts/packaging-tutorial.md: Add note about checking the
    tarball's signature.
---
 website/posts/packaging-tutorial.md | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/website/posts/packaging-tutorial.md 
b/website/posts/packaging-tutorial.md
index 42c8e7d..9e2b327 100644
--- a/website/posts/packaging-tutorial.md
+++ b/website/posts/packaging-tutorial.md
@@ -158,11 +158,33 @@ URI:
     0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i
 ```
 
-Note in this specific case that the output tells us which mirror was chosen.
-
+In this specific case that the output tells us which mirror was chosen.
 If the result of the above command is not the same as in the above snippet,
 update your `my-hello` declaration accordingly.
 
+Note that GNU package tarballs come with an OpenPGP signature, so you
+should definitely check the signature of this tarball with `gpg` to
+authenticate it before going further:
+
+```sh
+       $ guix download mirror://gnu/hello/hello-2.10.tar.gz.sig
+
+       Starting download of /tmp/guix-file.03tFfb
+       From https://ftpmirror.gnu.org/gnu/hello/hello-2.10.tar.gz.sig...
+       following redirection to 
`https://ftp.igh.cnrs.fr/pub/gnu/hello/hello-2.10.tar.gz.sig'...
+        ….tar.gz.sig  819B                                                     
                                                                  1.2MiB/s 
00:00 [##################] 100.0%
+       /gnu/store/rzs8wba9ka7grrmgcpfyxvs58mly0sx6-hello-2.10.tar.gz.sig
+       0q0v86n3y38z17rl146gdakw9xc4mcscpk8dscs412j22glrv9jf
+       $ gpg --verify 
/gnu/store/rzs8wba9ka7grrmgcpfyxvs58mly0sx6-hello-2.10.tar.gz.sig 
/gnu/store/hbdalsf5lpf01x4dcknwx6xbn6n5km6k-hello-2.10.tar.gz
+       gpg: Signature made Sun 16 Nov 2014 01:08:37 PM CET
+       gpg:                using RSA key A9553245FDE9B739
+       gpg: Good signature from "Sami Kerola <address@hidden>" [unknown]
+       gpg:                 aka "Sami Kerola (http://www.iki.fi/kerolasa/) 
<address@hidden>" [unknown]
+       gpg: WARNING: This key is not certified with a trusted signature!
+       gpg:          There is no indication that the signature belongs to the 
owner.
+       Primary key fingerprint: 8ED3 96E3 7E38 D471 A005  30D3 A955 3245 FDE9 
B739
+```
+
 Now you can happily run
 
 ```sh



reply via email to

[Prev in Thread] Current Thread [Next in Thread]