Login/Register
where can I find the public key for Gnu Emacs?
Asked Answered
emacsgnupg
B

5

44

I have used emacs for only half a year from 23.1 to 23.3.

Every time I tried to find gpg public key for emacs so that I could check tar.gz package with tar.gz.sig released with every new version, I failed.

It seems I should fetch public key first, and I searched the website of emacs, but never found a sign...

I can only find SHA1 checksum in the mailing list http://lists.gnu.org/archive/html/info-gnu-emacs/2011-03/msg00000.html to do the integrity check

How do I do this?

Bandur answered 18/4, 2011 at 10:13 Comment(0)
T
40

If you try to verify the signature using

gpg --verify <pkg>.key

you'll get an output like the following:

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Can't check signature: No public key

The key ID you are looking for is BE216115, so you ask gpg to retrieve it using:

gpg --recv-keys BE216115

Which resulted in the following on my installation:

gpg: requesting key BE216115 from hkp server keys.gnupg.net
gpg: key BE216115: public key "Francesco Potortì <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: depth: 2  valid:   6  signed:   1  trust: 0-, 0q, 0n, 6m, 0f, 0u
gpg: Total number processed: 1
gpg:               imported: 1

Now, you can verify it. But since you haven't assigned any trust to this key, the output will be:

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Good signature from "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg:                 aka "Francesco Potortì <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4B02 6187 5C03 D6B1 2E31  7666 09DF 2DC9 BE21 6115

So, you will know that the signature is valid, but you are not trusting the public key. You can trust or sign the public key using:

gpg --edit-key BE216115

In the command prompt type help to see all the available options. For further information, see Using the GNU Privacy Guard

Theretofore answered 18/4, 2011 at 10:40 Comment(1)
How do I know I can trust you (BE216115 being the key)? Also simply trusting any added key does not seem to be a good practice.Turnheim
S
34

The GNU keyring is at https://ftp.gnu.org/gnu/gnu-keyring.gpg

You can import them locally (after downloading) with 

gpg --import gnu-keyring.gpg
Stewardson answered 19/4, 2011 at 2:17 Comment(4)
Thanks. The accepted answer does not specify what to do when there is no keyserver.Changchun
Isn't this kinda overkill for just verifying downloads?Halliehallman
@JeffBurdges If you're downloading software that you'll then install and run (possibly as root) it seems reasonable to verify that it's the right software.Ngocnguyen
How did you find the keyserver URL? I checked the sidebar and topbar links and also Googled for it but couldn't find it.Toulouse
S
18

There is a README file at the root level of the GNU FTP server which explains how to use the signatures.

See https://ftp.gnu.org/README for the up-to-date version.

The current file says:

There are also .sig files, which contain detached GPG signatures of the above
files, automatically signed by the same script that generates them.

You can verify the signatures for gnu project files with the keyring file from:
  https://ftp.gnu.org/gnu/gnu-keyring.gpg

In a directory with the keyring file, the source file to verify and the
signature file, the command to use is:

  $ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig
Sapajou answered 8/3, 2015 at 12:37 Comment(2)
It turns out that your answer is - for Emacs-26.1. at least - the only still working, thanks a lot.Saurischian
I've also seen internal GNU Maintainer discussion talking about the difficulty with keyservers and advising people to use the keyring. Thus, this answer is closest to what is most widely understood to "just work" in the GNU community.Sexton
B
15

The answer from @vhallac is now out of date (I'm trying to verify an emacs-24.4 download). If you don't want to download and import the entire GNU keyring (as @JSON discussed), here's a way to get this done. In this answer I'll show what works today but also how to figure out what will work a year from now.

First download emacs and its .sig file. I have:

$ ls | grep emacs
emacs-24.4.tar.xz
emacs-24.4.tar.xz.sig

Assuming you already have gpg installed, try to verify it:

$ gpg --verify emacs-24.4.tar.xz.sig 
gpg: Signature made Mon 20 Oct 2014 02:58:21 PM EDT using RSA key ID A0B0F199
gpg: Can't check signature: public key not found

In this attempt, it fails (you'll see a successful attempt at the end of this post). I don't have the public key. The output tells you which public key you need to obtain: A0B0F199. (This is the thing that will most likely change in the future.)

So I then try to download it with the default command:

$ gpg --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
(...hangs here...)

It just hangs. That's because I have ufw (my Linux firewall software) blocking most ports. You can tell gpg to use port 80, like so:

$ gpg --keyserver hkp://keys.gnupg.net:80 --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
gpgkeys: key A0B0F199 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

That got through the firewall, but fails because, for some reason, the Emacs/FSF keys are no longer being stored on the gnupg server. So I tried the other keyserver I know about and have some level of trust of:

$ gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server pool.sks-keyservers.net
gpg: key A0B0F199: public key "Glenn Morris <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

OK, it worked. Now check it:

$ gpg --list-keys
...
pub   2048R/A0B0F199 2012-12-23 [expires: 2015-12-23]
uid                  Glenn Morris <[email protected]>
sub   2048R/951C59EC 2012-12-23 [expires: 2015-12-23]

Yep, got it.

Now I can verify the downloaded emacs tarball:

$ gpg --verify emacs-24.4.tar.xz.sig 
gpg: Signature made Mon 20 Oct 2014 02:58:21 PM EDT using RSA key ID A0B0F199
gpg: Good signature from "Glenn Morris <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B294 26DE FB07 724C 3C35  E5D3 6592 E9A3 A0B0 F199

The signature is "good", but not trusted. See the other answers for how to trust that key.

Bucktooth answered 7/3, 2015 at 18:7 Comment(1)
You can create a gpg.conf file with a line for the key server keyserver hkp://pool.sks-keyservers.net:80. Put this gpg.conf file into ~/.gnupg (under unix-like environments) or into c:/Users/USERNAME/AppData/Roaming/gnupg under WindowsMandler
M
1

Emacs need update package gnu-elpa-keyring-update. But... without updated gnu-elpa-keyring-update package you can't do it.

For this reason, it is necessary to do the following:

  1. Disable checking signature of packages and package archive with settings package-check-signature to nil.
  2. Install package gnu-elpa-keyring-update.
  3. Restore package-check-signature variable value.

Code from my init.el (add after setting package archives, but before installing any package with use-package or another tools):

(add-to-list 'package-pinned-packages '("gnu-elpa-keyring-update" . "gnu"))

(unless (package-installed-p 'gnu-elpa-keyring-update)
  ;; Save default value of `package-check-signature' variable
  (defvar package-check-signature-default package-check-signature)

  ;; Disable signature checking
  (setq package-check-signature nil)

  ;; Download package archives (without signature checking)
  (package-refresh-contents)

  ;; Install package `gnu-elpa-keyring-update' (without signature checking)
  (package-install 'gnu-elpa-keyring-update t)

  ;; Restore `package-check-signature' value to default.
  (setq package-check-signature package-check-signature-default))
Masry answered 22/4, 2024 at 20:6 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.