* How to Verify Git GPG Signed Downloads?
@ 2021-01-24 16:49 Brooke Kuhlmann
2021-01-24 17:57 ` Jason Pyeron
0 siblings, 1 reply; 5+ messages in thread
From: Brooke Kuhlmann @ 2021-01-24 16:49 UTC (permalink / raw)
To: git
Hello, I'm trying to figure out how to obtain the public key used to encrypt the Git file downloads. I put together a gist that explains the problem and question in detail here:
https://gist.github.com/bkuhlmann/684b74d25d83d52df8d0caeb6219aa15
If anyone has any advice on how to make this possible, it would be greatly appreciated.
Thanks,
Brooke
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: How to Verify Git GPG Signed Downloads?
2021-01-24 16:49 How to Verify Git GPG Signed Downloads? Brooke Kuhlmann
@ 2021-01-24 17:57 ` Jason Pyeron
2021-01-24 21:33 ` brian m. carlson
0 siblings, 1 reply; 5+ messages in thread
From: Jason Pyeron @ 2021-01-24 17:57 UTC (permalink / raw)
To: git; +Cc: 'Brooke Kuhlmann'
> From: Brooke Kuhlmann
> Sent: Sunday, January 24, 2021 11:49 AM
>
> Hello, I'm trying to figure out how to obtain the public key used to
> encrypt
Do you mean sign?
> the Git file
> downloads. I put together a gist that explains the problem and question in detail here:
>
> https://gist.github.com/bkuhlmann/684b74d25d83d52df8d0caeb6219aa15
Please don’t post links to questions, pasting your content inline here:
> Problem
> When attempting to download a Git version, it would be nice to verify the signature of the download by running the following:
>
> curl --remote-name https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.30.0.tar.gz
> curl --remote-name https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.30.0.tar.sign
> gpg --verify git-2.30.0.tar.sign git-2.30.0.tar.gz
> Only problem is that the last line of the above throws the following error:
>
> gpg: Signature made Sun Dec 27 23:12:30 2020 MST
> gpg: using RSA key E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB
> gpg: Can't check signature: No public key
> I tried using the following solutions to no avail:
$ gpg --recv-keys 96AFE6CB
gpg: requesting key 96AFE6CB from hkp server keys.gnupg.net
gpg: key 713660A7: "Junio C Hamano <gitster@pobox.com>" 59 new signatures
gpg: key 713660A7: "Junio C Hamano <gitster@pobox.com>" 2 new subkeys
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: new subkeys: 2
gpg: new signatures: 59
$ gpg --verify -v git-2.30.0.tar.sign git-2.30.0.tar.gz
gpg: Signature made Mon Dec 28 01:12:30 2020 EST using RSA key ID 96AFE6CB
gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
gpg: using subkey 96AFE6CB instead of primary key 713660A7
gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
gpg: using PGP trust model
gpg: BAD signature from "Junio C Hamano <gitster@pobox.com>"
gpg: binary signature, digest algorithm SHA256
$ gpg --list-keys -v 96AFE6CB
gpg: using PGP trust model
gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
pub 4096R/713660A7 2011-10-01
uid Junio C Hamano <gitster@pobox.com>
uid Junio C Hamano <junio@pobox.com>
uid Junio C Hamano <jch@google.com>
sub 4096R/96AFE6CB 2011-10-03 [expired: 2020-07-26]
sub 4096R/833262C4 2011-10-01
sub 4096R/B3F7CAC9 2014-09-20 [expired: 2020-07-26]
It is possible that Junio forgot to push his refreshed public key.
>
> gpg --locate-keys torvalds@kernel.org gregkh@kernel.org committer@example.com discord@example.net gitster@pobox.com
> gpg --import <file> # <= Need a file to import but where does one obtain the public key?
> I also tried importing only the public keys from the Git repository via the following files without any luck either:
>
> t/lib-gpg/keyring.gpg
> contrib/credential/netrc/test.git-config-gpg
> contrib/credential/netrc/test.netrc.gpg
> contrib/credential/netrc/test.command-option-gpg
> Question
> How does one figure out how to obtain the public keys for which the Git downloads were signed?
>
> If anyone has any advice on how to make this possible, it would be greatly appreciated.
>
> Thanks,
> Brooke
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to Verify Git GPG Signed Downloads?
2021-01-24 17:57 ` Jason Pyeron
@ 2021-01-24 21:33 ` brian m. carlson
2021-01-24 22:24 ` Jason Pyeron
2021-01-25 1:03 ` Junio C Hamano
0 siblings, 2 replies; 5+ messages in thread
From: brian m. carlson @ 2021-01-24 21:33 UTC (permalink / raw)
To: brooke, git
[-- Attachment #1: Type: text/plain, Size: 2089 bytes --]
On 2021-01-24 at 17:57:13, Jason Pyeron wrote:
> $ gpg --recv-keys 96AFE6CB
> gpg: requesting key 96AFE6CB from hkp server keys.gnupg.net
> gpg: key 713660A7: "Junio C Hamano <gitster@pobox.com>" 59 new signatures
> gpg: key 713660A7: "Junio C Hamano <gitster@pobox.com>" 2 new subkeys
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg: new subkeys: 2
> gpg: new signatures: 59
>
> $ gpg --verify -v git-2.30.0.tar.sign git-2.30.0.tar.gz
> gpg: Signature made Mon Dec 28 01:12:30 2020 EST using RSA key ID 96AFE6CB
> gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
> gpg: using subkey 96AFE6CB instead of primary key 713660A7
> gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
> gpg: using PGP trust model
> gpg: BAD signature from "Junio C Hamano <gitster@pobox.com>"
> gpg: binary signature, digest algorithm SHA256
The signature is bad because it's over the uncompressed .tar, not the
.tar.gz. There is also a .tar.xz and the signature is the same. You
therefore need to uncompress it first with gunzip.
> $ gpg --list-keys -v 96AFE6CB
> gpg: using PGP trust model
> gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
> pub 4096R/713660A7 2011-10-01
> uid Junio C Hamano <gitster@pobox.com>
> uid Junio C Hamano <junio@pobox.com>
> uid Junio C Hamano <jch@google.com>
> sub 4096R/96AFE6CB 2011-10-03 [expired: 2020-07-26]
> sub 4096R/833262C4 2011-10-01
> sub 4096R/B3F7CAC9 2014-09-20 [expired: 2020-07-26]
>
> It is possible that Junio forgot to push his refreshed public key.
Yes, I think that's the case.
--
brian m. carlson (he/him or they/them)
Houston, Texas, US
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: How to Verify Git GPG Signed Downloads?
2021-01-24 21:33 ` brian m. carlson
@ 2021-01-24 22:24 ` Jason Pyeron
2021-01-25 1:03 ` Junio C Hamano
1 sibling, 0 replies; 5+ messages in thread
From: Jason Pyeron @ 2021-01-24 22:24 UTC (permalink / raw)
To: git; +Cc: 'brian m. carlson', brooke
> From: brian m. carlson
> Sent: Sunday, January 24, 2021 4:34 PM
>
> On 2021-01-24 at 17:57:13, Jason Pyeron wrote:
> > $ gpg --recv-keys 96AFE6CB
> > gpg: requesting key 96AFE6CB from hkp server keys.gnupg.net
> > gpg: key 713660A7: "Junio C Hamano <gitster@pobox.com>" 59 new signatures
> > gpg: key 713660A7: "Junio C Hamano <gitster@pobox.com>" 2 new subkeys
> > gpg: no ultimately trusted keys found
> > gpg: Total number processed: 1
> > gpg: new subkeys: 2
> > gpg: new signatures: 59
> >
> > $ gpg --verify -v git-2.30.0.tar.sign git-2.30.0.tar.gz
> > gpg: Signature made Mon Dec 28 01:12:30 2020 EST using RSA key ID 96AFE6CB
> > gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> > gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
> > gpg: using subkey 96AFE6CB instead of primary key 713660A7
> > gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> > gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> > gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
> > gpg: using PGP trust model
> > gpg: BAD signature from "Junio C Hamano <gitster@pobox.com>"
> > gpg: binary signature, digest algorithm SHA256
>
> The signature is bad because it's over the uncompressed .tar, not the
> .tar.gz. There is also a .tar.xz and the signature is the same. You
> therefore need to uncompress it first with gunzip.
Silly me, but maybe there should be a README in that directory, along with the signatures.asc. If not, then it should easily be found on the git-scm site.
$ gpg --verify git-2.30.0.tar.sign git-2.30.0.tar
gpg: Signature made Mon Dec 28 01:12:30 2020 EST using RSA key ID 96AFE6CB
gpg: Good signature from "Junio C Hamano <gitster@pobox.com>"
gpg: aka "Junio C Hamano <junio@pobox.com>"
gpg: aka "Junio C Hamano <jch@google.com>"
gpg: Note: This key has expired!
Primary key fingerprint: 96E0 7AF2 5771 9559 80DA D100 20D0 4E5A 7136 60A7
Subkey fingerprint: E1F0 36B1 FEE7 221F C778 ECEF B0B5 E886 96AF E6CB
>
> > $ gpg --list-keys -v 96AFE6CB
> > gpg: using PGP trust model
> > gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> > gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
> > pub 4096R/713660A7 2011-10-01
> > uid Junio C Hamano <gitster@pobox.com>
> > uid Junio C Hamano <junio@pobox.com>
> > uid Junio C Hamano <jch@google.com>
> > sub 4096R/96AFE6CB 2011-10-03 [expired: 2020-07-26]
> > sub 4096R/833262C4 2011-10-01
> > sub 4096R/B3F7CAC9 2014-09-20 [expired: 2020-07-26]
> >
> > It is possible that Junio forgot to push his refreshed public key.
>
> Yes, I think that's the case.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to Verify Git GPG Signed Downloads?
2021-01-24 21:33 ` brian m. carlson
2021-01-24 22:24 ` Jason Pyeron
@ 2021-01-25 1:03 ` Junio C Hamano
1 sibling, 0 replies; 5+ messages in thread
From: Junio C Hamano @ 2021-01-25 1:03 UTC (permalink / raw)
To: brian m. carlson; +Cc: brooke, git
"brian m. carlson" <sandals@crustytoothpaste.net> writes:
>> $ gpg --list-keys -v 96AFE6CB
>> gpg: using PGP trust model
>> gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
>> gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
>> pub 4096R/713660A7 2011-10-01
>> uid Junio C Hamano <gitster@pobox.com>
>> uid Junio C Hamano <junio@pobox.com>
>> uid Junio C Hamano <jch@google.com>
>> sub 4096R/96AFE6CB 2011-10-03 [expired: 2020-07-26]
>> sub 4096R/833262C4 2011-10-01
>> sub 4096R/B3F7CAC9 2014-09-20 [expired: 2020-07-26]
>>
>> It is possible that Junio forgot to push his refreshed public key.
>
> Yes, I think that's the case.
Hmph, I was fairly sure I pushed it out when I refreshed the expiry
date sometime early last year, but apparently it did not go through.
I just tried recv-keys from keys.gnupg.net into a throw-away
GNUPGHOME and got the output at the end, so it should be OK now.
Sorry about that.
$ gpg --list-keys -v 96AFE6CB
gpg: using pgp trust model
pub rsa4096 2011-10-01 [SC]
96E07AF25771955980DAD10020D04E5A713660A7
uid [ unknown] Junio C Hamano <gitster@pobox.com>
uid [ unknown] Junio C Hamano <jch@google.com>
uid [ unknown] Junio C Hamano <junio@pobox.com>
sub rsa4096 2011-10-01 [E]
sub rsa4096 2011-10-03 [S] [expires: 2028-01-11]
sub rsa4096 2014-09-20 [S] [expires: 2028-01-11]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-25 1:07 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-24 16:49 How to Verify Git GPG Signed Downloads? Brooke Kuhlmann
2021-01-24 17:57 ` Jason Pyeron
2021-01-24 21:33 ` brian m. carlson
2021-01-24 22:24 ` Jason Pyeron
2021-01-25 1:03 ` Junio C Hamano
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).