gnupg - where can I find the public key for Gnu Emacs?

Question

I have used emacs for only half a year from 23.1 to 23.3.

Every time I tried to find gpg public key for emacs so that I could check tar.gz package with tar.gz.sig released with every new version. It turned out I failed every time :-].

It seems I should fetch public key first, and I searched the website of emacs, but never found a sign...

I can only find SHA1 checksum in the mailing list http://lists.gnu.org/archive/html/info-gnu-emacs/2011-03/msg00000.html to do the integrity check

I am not doubt the security of FSF, by the way. just curious...never use gpg before...

Can you give me a link?

Thanks

question from:https://stackoverflow.com/questions/5701388/where-can-i-find-the-public-key-for-gnu-emacs

Answer 1

If you try to verify the signature using

gpg --verify <pkg>.key

you'll get an output like the following:

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Can't check signature: No public key

The key ID you are looking for is BE216115, so you ask gpg to retrieve it using:

gpg --recv-keys BE216115

Which resulted in the following on my installation:

gpg: requesting key BE216115 from hkp server keys.gnupg.net
gpg: key BE216115: public key "Francesco Potortì <pot@potorti.it>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: depth: 2  valid:   6  signed:   1  trust: 0-, 0q, 0n, 6m, 0f, 0u
gpg: Total number processed: 1
gpg:               imported: 1

Now, you can verify it. But since you haven't assigned any trust to this key, the output will be:

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Good signature from "Francesco Potortì <pot@potorti.it>"
gpg:                 aka "Francesco Potortì <pot@gnu.org>"
gpg:                 aka "Francesco Potortì <Potorti@isti.cnr.it>"
gpg:                 aka "Francesco Potortì <pot@softwarelibero.it>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4B02 6187 5C03 D6B1 2E31  7666 09DF 2DC9 BE21 6115

So, you will know that the signature is valid, but you are not trusting the public key. You can trust or sign the public key using:

gpg --edit-key BE216115

In the command prompt type help to see all the available options. For further information, see Using the GNU Privacy Guard