Re: [Qemu-discuss] How to gpg verify qemu-2.12.0.tar.xz?

qemu-discuss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] How to gpg verify qemu-2.12.0.tar.xz?

From:	Thomas Huth
Subject:	Re: [Qemu-discuss] How to gpg verify qemu-2.12.0.tar.xz?
Date:	Wed, 20 Jun 2018 08:29:28 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0

On 20.06.2018 08:15, Edward Smith wrote:
> Great, thanks Thomas!
> 
> Apparently I was missing the 0x3353C9CE prefix from my key search. What
> is that exactly?

It's the longer form of the key ID. The 32-bit-only key IDs are not safe
anymore these days, see https://evil32.com/ for details.

> Also, I got this output from verifying with this key:
> 
> gpg: Signature made Tue 24 Apr 2018 12:55:16 PM CDT using RSA key ID
> F108B584
> gpg: Good signature from "Michael Roth <address@hidden
> <mailto:address@hidden>>"
> gpg:                 aka "Michael Roth <address@hidden
> <mailto:address@hidden>>"
> gpg:                 aka "Michael Roth <address@hidden
> <mailto:address@hidden>>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584
> 
> I take it everything is ok?

AFAIK that simply means that you don't have anybody in your keyring who
you trust and who signed his key. See
https://en.wikipedia.org/wiki/Web_of_trust for the concept of the web of
trust. If that's important to you, I can recommend to visit KVM Forum,
DevConf, FOSDEM or another open source conference where you can meet the
QEMU developers and exchange the key fingerprints with some people there.

 Thomas


> On Wed, Jun 20, 2018 at 12:47 AM Thomas Huth <address@hidden
> <mailto:address@hidden>> wrote:
> 
>     On 20.06.2018 06:19, Edward Smith wrote:
>     > Hello,
>     >
>     > I downloaded the following files to my Ubuntu machine:
>     >
>     > Jun 19 22:37 qemu-2.12.0.tar.xz
>     > Jun 19 22:37 qemu-2.12.0.tar.xz.sig
>     >
>     > I then attempted to verify the gpg signature of the
>     qemu-2.12.0.tar.xz file
>     > and got the following output:
>     >
>     > gpg: Signature made Tue 24 Apr 2018 12:55:16 PM CDT using RSA key ID
>     > F108B584
>     > gpg: Can't check signature: public key not found
>     >
>     > I tried looking for RSA key with the ID F108B584 on the MIT public key
>     > server but could not find it.
>     >
>     > Any ideas?
> 
>     It should be available on the MIT server:
> 
>     http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
> 
>      HTH,
>       Thomas
>

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-discuss] How to gpg verify qemu-2.12.0.tar.xz?, Edward Smith, 2018/06/20
- Re: [Qemu-discuss] How to gpg verify qemu-2.12.0.tar.xz?, Thomas Huth, 2018/06/20
  - Re: [Qemu-discuss] How to gpg verify qemu-2.12.0.tar.xz?, Edward Smith, 2018/06/20
    - Re: [Qemu-discuss] How to gpg verify qemu-2.12.0.tar.xz?, Thomas Huth <=

Prev by Date: Re: [Qemu-discuss] How to gpg verify qemu-2.12.0.tar.xz?
Next by Date: [Qemu-discuss] outdated qemu prevents to do live disk snapshot/active block commit (RHEL7.4)
Previous by thread: Re: [Qemu-discuss] How to gpg verify qemu-2.12.0.tar.xz?
Next by thread: [Qemu-discuss] outdated qemu prevents to do live disk snapshot/active block commit (RHEL7.4)
Index(es):
- Date
- Thread