[Nut-upsuser] NUT public key?

Kjell Claesson kjell.claesson at telia.com
Sun Jan 29 08:39:34 UTC 2006


You are absolutely right Peter.

I probably got a 'short' in my brain when i read the mail.
I mixed up the public key and the signature.

But now you have the right answer Matthew.

/Kjell
  
lör 2006-01-28 klockan 10:52 -0400 skrev Peter Selinger:
> Kjell Claesson wrote:
> > 
> > Hi Matthew.
> > 
> > The public key is often located at the same server you get the code
> > from.
> > 
> > If you look att the link you named, you can download nut-2.0.2.tar.gz
> > and the signature. The signature is the gpg key file.
> 
> I don't think this is correct at all. The signature is the signature,
> not the key. You still need to know the signer's public key to verify
> that the signature is correct. Otherwise, you only get:
> 
> $ gpg --verify nut-2.0.2.tar.gz.sig 
> gpg: Signature made Tue 28 Jun 2005 04:43:09 AM ADT using DSA key ID 204DDF1B
> gpg: Can't check signature: public key not found
> 
> The key must be obtained from a key server, as Arnaud explained:
> 
> $ gpg --keyserver keyring.debian.org --recv-key 204DDF1B
> 
> It might be useful if the key was also available from the website, but
> this would not increase security, as an impostor site could easily
> contain an impostor key. The only way to *really* verify that a key
> belongs to its owner is to meet the owner in person, check his
> passport, and ask him to personally tell you his key fingerprint.

> -- Peter
> 
> 
> > 
> > If You run FC (RedHat) you have the gpg checked by the rpm system.
> > The same goes for every system that use the rpm system like Suse
> > Mandrake ....
> > In Gentoo the portage check the files on emerge.
> > 
> > But if you take the code from cvs, you have to trust the developers.
> > that the code is ok.
> > 
> > /Kjell
> > fre 2006-01-27 klockan 12:51 -0800 skrev Matthew.van.Eerde at hbinc.com:
> > > I've successfully installed and configured NUT on my test machine
> > > and am moving it into production.
> > >
> > > http://www.networkupstools.org/source.html offers some good
> > > advice... "You should always use PGP/GPG to verify the signatures
> > > before using any source code"
> > >
> > > But where can I find the public key that was used to sign the
> > > source?  It's not on any key servers I've been able to query.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad
	meddelandedel
Url : http://lists.alioth.debian.org/pipermail/nut-upsuser/attachments/20060129/251002d9/attachment.pgp


More information about the Nut-upsuser mailing list