The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "GPG Signatures"
Line 8: | Line 8: | ||
{{TableEnd}} | {{TableEnd}} | ||
To verify the integrity of stage3 tarballs using GPG, | {{Important|For right now, it's best to not download the {{c|stage3-latest.tar.xz}} file if you are doing GPG verification, but instead download the latest files from the corresponding date timestamp subdirectory. The {{c|.gpg}} file exists in the timestamp directory only.}} | ||
To verify the integrity of stage3 tarballs using GPG, head to the timestamp directory ({{c|2021-11-23/}}, for example) on build.funtoo.org to download your preferred stage3 tarball and the matching file with the additional {{c|.gpg}} extension in the same directory. Next, we will receive the public master key from a public keyserver (specifying the ''last 8 digits of the BDFL fingerprint'',) and assign ultimate trust to it: | |||
{{console|body= | {{console|body= | ||
Line 29: | Line 31: | ||
{{console|body= | {{console|body= | ||
$ ##i##gpg --verify stage3- | $ ##i##gpg --verify stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz.gpg stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz | ||
gpg: Signature made Fri 03 Dec 2021 09:27:55 AM MST | gpg: Signature made Fri 03 Dec 2021 09:27:55 AM MST | ||
gpg: using RSA key 30737D12308C9D0C882FC34B57CB0A121BAECB2E | gpg: using RSA key 30737D12308C9D0C882FC34B57CB0A121BAECB2E |
Revision as of 18:55, December 3, 2021
The Funtoo Linux master GPG signing key is the drobbins@funtoo.org
key (the "BDFL key"), which has the following signature:
GPG key name/email | GPG comment | Fingerprint |
---|---|---|
Daniel Robbins drobbins@funtoo.org | BDFL | D3B9 48F8 2EE8 B402 0A04 1078 9A65 8306 E986 E8EE |
For right now, it's best to not download the stage3-latest.tar.xz
file if you are doing GPG verification, but instead download the latest files from the corresponding date timestamp subdirectory. The .gpg
file exists in the timestamp directory only.
To verify the integrity of stage3 tarballs using GPG, head to the timestamp directory (2021-11-23/
, for example) on build.funtoo.org to download your preferred stage3 tarball and the matching file with the additional .gpg
extension in the same directory. Next, we will receive the public master key from a public keyserver (specifying the last 8 digits of the BDFL fingerprint,) and assign ultimate trust to it:
user $ gpg --keyserver pgp.mit.edu --recv-key E986E8EE user $ gpg --edit-key E986E8EE gpg> trust Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y gpg> quit
Each build server key has been signed by the BDFL key, so by trusting the BDFL key ultimately, you will automatically fully trust the build server key.
Next, head to GPG Signatures/Metro Plaintext Keys and copy and paste the public key and associated signatures for the metro build server into a file called node.txt
. Then, import this key into GPG:
user $ gpg --import node.txt
Then, you can use the gpg --verify
command to verify the stage3's GPG signature. You should see output similar to this. The BDFL trusts this key, and if your stage file is not corrupted, you will see a message of a "Good signature" and an exit code of zero:
user $ gpg --verify stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz.gpg stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz gpg: Signature made Fri 03 Dec 2021 09:27:55 AM MST gpg: using RSA key 30737D12308C9D0C882FC34B57CB0A121BAECB2E gpg: Good signature from "Daniel Robbins (metro:node) <drobbins@funtoo.org>" [full] user $ echo $? 0
For more details on the benefits of GPG, read https://gnupg.org/gph/en/manual.html