[Nut-upsuser] NUT public key?

Peter Selinger selinger at mathstat.dal.ca
Sat Jan 28 14:52:58 UTC 2006


Kjell Claesson wrote:
> 
> Hi Matthew.
> 
> The public key is often located at the same server you get the code
> from.
> 
> If you look att the link you named, you can download nut-2.0.2.tar.gz
> and the signature. The signature is the gpg key file.

I don't think this is correct at all. The signature is the signature,
not the key. You still need to know the signer's public key to verify
that the signature is correct. Otherwise, you only get:

$ gpg --verify nut-2.0.2.tar.gz.sig 
gpg: Signature made Tue 28 Jun 2005 04:43:09 AM ADT using DSA key ID 204DDF1B
gpg: Can't check signature: public key not found

The key must be obtained from a key server, as Arnaud explained:

$ gpg --keyserver keyring.debian.org --recv-key 204DDF1B

It might be useful if the key was also available from the website, but
this would not increase security, as an impostor site could easily
contain an impostor key. The only way to *really* verify that a key
belongs to its owner is to meet the owner in person, check his
passport, and ask him to personally tell you his key fingerprint.

By the way, the key fingerprint is 1371 07DF 3CF3 9160 7905 144B DB64
14CA 204D DF1B.  Also, for future reference, a copy of the key in
question is appended below. It can be imported with "gpg --import".

-- Peter


> 
> If You run FC (RedHat) you have the gpg checked by the rpm system.
> The same goes for every system that use the rpm system like Suse
> Mandrake ....
> In Gentoo the portage check the files on emerge.
> 
> But if you take the code from cvs, you have to trust the developers.
> that the code is ok.
> 
> /Kjell
> fre 2006-01-27 klockan 12:51 -0800 skrev Matthew.van.Eerde at hbinc.com:
> > I've successfully installed and configured NUT on my test machine
> > and am moving it into production.
> >
> > http://www.networkupstools.org/source.html offers some good
> > advice... "You should always use PGP/GPG to verify the signatures
> > before using any source code"
> >
> > But where can I find the public key that was used to sign the
> > source?  It's not on any key servers I've been able to query.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)

mQGiBD0y56QRBACYMNr6RbAfj3T7ZoAyUWjofb/n5HalrHo7utL8V5qpbF0U95dJ
5KNXMzkSe79qviz5O8Np4UJdyzjbb1JSKdSiH56a08E/siJkwJ3c9b4eWCHB7Rq3
2nWWyeF2um/Sk9OqFPDp/3YPJIGxAYCNXMJWYDjVSRmyTkyt7q0cY+uZmwCgxxwv
r8LoVOXfRfSeG41wp/3tIeMD/iuUmvpr9yRWKDlbAuhLEFRhzzcmWFezIUN8a1fW
BmKxnbEcUkdOyrQMypXURWEnr2tYPOoGyq670xrwoWMCS7DhfQnUeFV0IANOvUZA
SOCY8EsiiD3r05LjGEudbnvP2Ol0G5G46IEC2gwNsQlvFZhf+lGG2obFGnIFTi2o
RhmxBACPemrbn3DoiPKwTpxoLsg5+s75InMDsPVe15TfxrDrXotsoT7rya5wjAIu
aCqPlwI/RLweii1EZLFuBS9T1VO4k3uFXn8Ud9RuqhZnL45Ghw5dDPNnB8zTgqBP
h9H1zNl+zPgN0DEZUTg9HZWfVFEfdEu/U6cr48tGk8gWefOB9rQlQXJuYXVkIFF1
ZXR0ZSA8YXJuYXVkLnF1ZXR0ZUBmcmVlLmZyPohGBBMRAgAGBQI9QTuYAAoJEAfc
Vj0fQbkHSPUAn031aqGrV2Un3EMbXXPL4/xCnAcOAJ9fCtFxbmqrHwFzh1cB2YAC
TXzkvohGBBARAgAGBQI9OGagAAoJEMJsl5BtT8ZvKAMAn0ocqpJSNeJB54UOtc9F
EVORxFTwAJ4yN+mDYfFSii6biK1b+kh/NKplr4hXBBMRAgAXBQI9MuelBQsHCgME
AxUDAgMWAgECF4AACgkQ22QUyiBN3xtcHgCgl7fCcMbLO/pUvn+CvlT5UKDvh6IA
oMLSSkYDb5L+Q9T3SYVX9wi2X2pIiEYEEBECAAYFAj4whPEACgkQt53vqnonoMw0
gwCeO+gPks2bLPCm3fSG7quTw4Dq3R4An0h+K2RdLHIftfyunYRt0/tZ0op9iEYE
EBECAAYFAj5T5YEACgkQhXQ5paxQ4+M8TgCeKoeRe3EcxyVRGeG8nuGWfeP1XTYA
n1ntHMErbN8z+rdpwJHwow+ZfjhSiEYEExECAAYFAkIDzkYACgkQzWFP1/XWUWmw
4gCaAhr9hgcFvovnkf32xPDRBYB4B7sAn0cSilpvBH89RaqDY2rjhUEEjb/4iEYE
ExECAAYFAkIBSeEACgkQ1OXtrMAUPS2JcACghua5KAhhMfZhj0h59ciXoUQe8nsA
njwh1Q6FEZcBPbUHRP4ESVIBUmb4iEYEEBECAAYFAkLdAScACgkQn0KMlibPg3w0
vgCgk5+ZXRiVBcI5P1+QGvlb4xx1nkMAoLIJILX2Hh5W94H0WPxXMdh+IrlftChB
cm5hdWQgUXVldHRlIDxhcm5hdWQucXVldHRlQG1nZXVwcy5jb20+iEYEEBECAAYF
Aj04ZqYACgkQwmyXkG1Pxm9bugCgi67yiwwumP/76PvHG/i8z39abeMAoJ5Mt3Y2
N8WPvH+COBIotPNN56CyiFcEExECABcFAj00Pi8FCwcKAwQDFQMCAxYCAQIXgAAK
CRDbZBTKIE3fG1xfAJ0WFHDXpKrMiYqMRqYC9sJy7v/WLgCbB1Z8qUAnNd4WZJmo
HUVMKTbJr42IRgQQEQIABgUCPjCE8QAKCRC3ne+qeiegzGHeAJ9mce/F4j5gUEI7
DITTL/mbJIZ9fACggtfCWs6pi0gJhyjA0MZq5C30u3+IRgQQEQIABgUCPlPliwAK
CRCFdDmlrFDj4zZOAJ0WtaJp6L1TQB0smjUNxu0MqURdCACfZBgzV1jCATtx7xl0
4miYUzECeAWIRgQTEQIABgUCQgPORgAKCRDNYU/X9dZRaYrcAKDVxkP+46SZLvgO
GWyklWkUFWY9yACgvm2ADvUe1H+rn7e0AS0u+dLcUBSIRgQQEQIABgUCQt0BJwAK
CRCfQoyWJs+DfFEZAJ919Nvd8B/0UFeCt0wgZu+/zF5ovwCgvsm+vaeTXzG7Dna8
b3dwRQAp+6m0KEFybmF1ZCBRdWV0dGUgPGFybmF1ZC5xdWV0dGVAZGViaWFuLm9y
Zz6IXgQTEQIAHgUCP1ThlAIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRDbZBTK
IE3fG7BsAJ4+0PQH3PoL5QN6uZlB3a+nBTSyFgCfegEDNbq4vB9xwCoHh3hHKcmx
dw2IRgQQEQIABgUCQt0BJwAKCRCfQoyWJs+DfLtDAJ9GzfN+bMYbz/doycrvMknY
ihWEiACfZbOejMrj47rG6nGkagqdBp9UTzO0IkFybmF1ZCBRdWV0dGUgPGFxdWV0
dGVAZGViaWFuLm9yZz6IXgQTEQIAHgUCP4mw/QIbAwYLCQgHAwIDFQIDAxYCAQIe
AQIXgAAKCRDbZBTKIE3fG2nRAJwJlIkGjKPdKosEYKHScgf+b2FqFgCgrmG8ew6g
1g7lJb1g17WDCbckSVGIRgQTEQIABgUCQgPOQAAKCRDNYU/X9dZRae5NAJ0aocrd
wddIdvd+49foxQ7RA8r0lQCg40veUsECvVxdZldOwYQCb5ZNy7qIRgQTEQIABgUC
QgFJ3gAKCRDU5e2swBQ9LbZlAKCsfRkNpYG9LxLAAbvzDDJXdihmaACeM2621cjA
GQ6vST2q0izGqCzTIHuIRgQQEQIABgUCQt0BIwAKCRCfQoyWJs+DfDbPAKC78x5n
u/SzmUZ5e+SmS4n84X/K0gCgvNnYjfG3vyVcrW7GKDRAlgxfvbG0JUFybmF1ZCBR
dWV0dGUgPGFxdWV0dGUuZGV2QGdtYWlsLmNvbT6IXgQTEQIAHgUCQy6haQIbAwYL
CQgHAwIDFQIDAxYCAQIeAQIXgAAKCRDbZBTKIE3fG+AsAJsHzb1uwsqcJk+hAzZm
Q6sWXELQcQCgjm0lX4U8jWNDrXYevQe0+3HxVdm5AQ0EPTLnwhAEAKEe3dQVxVL/
ekOXdYODJhNER4iJJD6mBlImCHHsFxY1OVLKK9R2n06QdgcLHSBgsSanujED2OeF
l7gYcwxoXEqVdDTUQrbGIXAyu3KV+aPZFETv9L5FHWIglP2UDEIpfu1LfM+h+mwc
DnKEBHxOgtrTbdypCzNd+PFxb/8c51n7AAMFA/4h+KQER+lzk3vqtKDlod0hIVdg
h1IkvlGwKw6MCgTQi3QDoq74DrICWLTl6NqzcfnLsfokDAxflfrtU8sasJy7ych9
Iv0MFbYubs0pzywYr9sKOxJKTO9JVWrFvGCGCjo/ek73zKISZUHKgv7jungAv0er
2pTsMdE66+eEFRhK9IhGBBgRAgAGBQI9MufCAAoJENtkFMogTd8bujUAnA10Az7r
+vi8rMU7LCZgspWUS8mqAKDGiGIVM4k3GnKTtuHveDbe9QMRAQ==
=wJR1
-----END PGP PUBLIC KEY BLOCK-----



More information about the Nut-upsuser mailing list