On 23/08/17 15:11, Dan Norton wrote: > #1 SMP Debian 3.16.43-2+deb8u2 (2017-06-26) > is on my desktop. In the process of installing borg from: > > https://github.com/borgbackup/borg/releases You can install it easily in Debian. The package is called “borgbackup”. However, in Debian 9 it is an older version. If you want the latest version in Debian 9 you will have to install from the sources. > sudo apt-key add borg-linux64.gpg There is no reason to do this. You should not change the apt-get keys lightly. To install from source, there is no reason to add more trusted keys to apt-get. > If nothing is amiss so far (a big if), the problem now is: > > $ gpg --verify borg-linux64.asc borg-linux64 > gpg: Signature made Sun 23 Jul 2017 07:23:38 PM EDT using RSA key ID > 51F78E01 > gpg: Can't check signature: public key not found > > How to get the public key? See <https://borgbackup.readthedocs.io/en/stable/support.html#security-contact>. A key may claim to belong to X person, but you should not take the key's word for granted. You must verify that X person indeed owns that key. The best way to do this is that the person gives you face to face his gpg key. Second best is using the OpenPGP web of trust. In your case, probably neither option is possible, at least not immediately (joining the web of trust usually requires physically traveling to key signing parties, or something similar). The best you can do is to trust the key given by the official borg page. How do you know what is the official borg page? You should not trust a search engine for this, nor what the page itself claim, but you can trust the Debian developers (not because they are special, but because you are trusting them by using Debian). To see the home-page of a package in Debian, do as follows: $ apt-cache show borgbackup | grep ^Homepage Homepage: https://borgbackup.github.io/borgbackup/ After some clicks, starting in this page, you will end in the page I mentioned (which is <https://borgbackup.readthedocs.io/en/stable/support.html#security-contact>). After you have followed this procedure to obtain a fingerprint of the borg developer that signs the release, fetch the key with the following command (substitute FINGERPRINT with the actual fingerprint. You need not delete the spaces in the fingerprint, but do not delete the single quotation marks in the command): gpg --keyserver 'hkps://hkps.pool.sks-keyservers.net' --recv-key 'FINGERPRINT' Regards. -- Do not eat animals, respect them as you respect people. https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan
Attachment:
signature.asc
Description: OpenPGP digital signature