Re: Public Key

To: debian-user@lists.debian.org
Subject: Re: Public Key
From: Mario Castelán Castro <marioxcc.MT@yandex.com>
Date: Wed, 23 Aug 2017 18:24:02 -0500
Message-id: <[🔎] 37eeb575-98d8-73bf-da80-edd6d25b650b@yandex.com>
In-reply-to: <[🔎] c68353d8-18c2-dbc5-f633-c51eade54bab@mindspring.com>
References: <[🔎] c68353d8-18c2-dbc5-f633-c51eade54bab@mindspring.com>

On 23/08/17 15:11, Dan Norton wrote:
> #1 SMP Debian 3.16.43-2+deb8u2 (2017-06-26)
> is on my desktop. In the process of installing borg from:
> 
> https://github.com/borgbackup/borg/releases

You can install it easily in Debian. The package is called “borgbackup”.
However, in Debian 9 it is an older version. If you want the latest
version in Debian 9 you will have to install from the sources.

> sudo apt-key add borg-linux64.gpg

There is no reason to do this. You should not change the apt-get keys
lightly. To install from source, there is no reason to add more trusted
keys to apt-get.

> If nothing is amiss so far (a big if), the problem now is:
> 
> $ gpg --verify borg-linux64.asc borg-linux64
> gpg: Signature made Sun 23 Jul 2017 07:23:38 PM EDT using RSA key ID
> 51F78E01
> gpg: Can't check signature: public key not found
> 
> How to get the public key?

See
<https://borgbackup.readthedocs.io/en/stable/support.html#security-contact>.

A key may claim to belong to X person, but you should not take the key's
word for granted. You must verify that X person indeed owns that key.
The best way to do this is that the person gives you face to face his
gpg key. Second best is using the OpenPGP web of trust.

In your case, probably neither option is possible, at least not
immediately (joining the web of trust usually requires physically
traveling to key signing parties, or something similar). The best you
can do is to trust the key given by the official borg page.

How do you know what is the official borg page? You should not trust a
search engine for this, nor what the page itself claim, but you can
trust the Debian developers (not because they are special, but because
you are trusting them by using Debian).

To see the home-page of a package in Debian, do as follows:

$ apt-cache show borgbackup | grep ^Homepage
Homepage: https://borgbackup.github.io/borgbackup/

After some clicks, starting in this page, you will end in the page I
mentioned (which is
<https://borgbackup.readthedocs.io/en/stable/support.html#security-contact>).

After you have followed this procedure to obtain a fingerprint of the
borg developer that signs the release, fetch the key with the following
command (substitute FINGERPRINT with the actual fingerprint. You need
not delete the spaces in the fingerprint, but do not delete the single
quotation marks in the command):

gpg --keyserver 'hkps://hkps.pool.sks-keyservers.net' --recv-key
'FINGERPRINT'

Regards.

-- 
Do not eat animals, respect them as you respect people.
https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Public Key
  - From: Dan Norton <dnorton@mindspring.com>

References:
- Public Key
  - From: Dan Norton <dnorton@mindspring.com>

Prev by Date: Re: One-line password generator
Next by Date: Re: Public Key
Previous by thread: Public Key
Next by thread: Re: Public Key
Index(es):
- Date
- Thread