The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
GPG Signatures
Funtoo Linux stage tarballs are signed using GPG by the master build server. The following key is used to create detached binary signatures ending in .gpg
of each stage tarball. The key is 4096 bit RSA with no expiry.
GPG key name/email | GPG comment | Fingerprint | Used for |
---|---|---|---|
Daniel Robbins drobbins@funtoo.org | metro:node | 3073 7D12 308C 9D0C 882F C34B 57CB 0A12 1BAE CB2E (Sign)70AC BB6B FEE7 BC57 2A89 41D1 9266 C4FA 11FD 00FD (Primary) | All builds |
In turn, these public keys are signed by the Funtoo Linux master signing key:
GPG key name/email | GPG comment | Fingerprint |
---|---|---|
Daniel Robbins drobbins@funtoo.org | BDFL | D3B9 48F8 2EE8 B402 0A04 1078 9A65 8306 E986 E8EE |
To verify the integrity of stage3 tarballs using GPG, first download your preferred stage3 taball, and the matching file with the additional .gpg
extension in the same directory. Next, we will receive the public master key from a public keyserver (specifying the last 8 digits of the BDFL fingerprint,) and assign ultimate trust to it:
user $ gpg --keyserver pgp.mit.edu --recv-key E986E8EE user $ gpg --edit-key E986E8EE gpg> trust Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y gpg> quit
Each build server key has been signed by the BDFL key, so by trusting the BDFL key ultimately, you will automatically fully trust the build server keys.
Then, you will want to use the gpg --recv-key
command, now specifying the the last 8 digits of the build server's primary key fingerprint listed above for each build server for which you want to verify signatures. The following command will grab public keys for all of the Funtoo Linux build servers listed above:
user $ gpg --keyserver pgp.mit.edu --recv-key 11FD00FD
Then, you can use the gpg --verify
command to verify the stage3's GPG signature:
user $ gpg --verify stage3-latest.tar.xz.gpg stage3-latest.tar.xz
You should see output similar to this, which will specify the last 8 digits of the signing GPG fingerprint:
gpg: Signature made Sun 25 Dec 2016 03:57:27 PM MST using RSA key ID 613539CB gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 4 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 4 signed: 0 trust: 3-, 1q, 0n, 0m, 0f, 0u gpg: Good signature from "Daniel Robbins (metro:odroid-xu4) <drobbins@funtoo.org>" [full]
For more details on the benefits of GPG, read https://gnupg.org/gph/en/manual.html