Re: Public Key
On 08/23/2017 07:24 PM, Mario Castelán Castro wrote:
On 23/08/17 15:11, Dan Norton wrote:
#1 SMP Debian 3.16.43-2+deb8u2 (2017-06-26)
is on my desktop. In the process of installing borg from:
https://github.com/borgbackup/borg/releases
You can install it easily in Debian. The package is called “borgbackup”.
However, in Debian 9 it is an older version. If you want the latest
version in Debian 9 you will have to install from the sources.
I'm all for that, but unfortunately...
$ apt-cache show borgbackup | grep ^Homepage
E: No packages found
Before posting I searched for borg and because nothing turned up I tried
to install it another way. It's supposed to be a self-contained binary;
the simplicity is appealing, but it's gotta be the real thing (not
spoofed).
sudo apt-key add borg-linux64.gpg
There is no reason to do this. You should not change the apt-get keys
lightly. To install from source, there is no reason to add more trusted
keys to apt-get.
Glad to learn this now.
If nothing is amiss so far (a big if), the problem now is:
$ gpg --verify borg-linux64.asc borg-linux64
gpg: Signature made Sun 23 Jul 2017 07:23:38 PM EDT using RSA key ID
51F78E01
gpg: Can't check signature: public key not found
How to get the public key?
See
<https://borgbackup.readthedocs.io/en/stable/support.html#security-contact>.
A key may claim to belong to X person, but you should not take the key's
word for granted. You must verify that X person indeed owns that key.
The best way to do this is that the person gives you face to face his
gpg key. Second best is using the OpenPGP web of trust.
In your case, probably neither option is possible, at least not
immediately (joining the web of trust usually requires physically
traveling to key signing parties, or something similar). The best you
can do is to trust the key given by the official borg page.
How do you know what is the official borg page? You should not trust a
search engine for this, nor what the page itself claim, but you can
trust the Debian developers (not because they are special, but because
you are trusting them by using Debian).
To see the home-page of a package in Debian, do as follows:
$ apt-cache show borgbackup | grep ^Homepage
Homepage: https://borgbackup.github.io/borgbackup/
I like what you are saying. Now, if that package could be found we'd be
in business.
After some clicks, starting in this page, you will end in the page I
mentioned (which is
<https://borgbackup.readthedocs.io/en/stable/support.html#security-contact>).
After you have followed this procedure to obtain a fingerprint of the
borg developer that signs the release, fetch the key with the following
command (substitute FINGERPRINT with the actual fingerprint. You need
not delete the spaces in the fingerprint, but do not delete the single
quotation marks in the command):
gpg --keyserver 'hkps://hkps.pool.sks-keyservers.net' --recv-key
'FINGERPRINT'
How do we know about 'hkps://hkps.pool.sks-keyservers.net'? I tried the
command...
$ gpg --keyserver 'hkps://hkps.pool.sks-keyservers.net' --recv-key '<the
key>'
gpg: requesting key FAF7B393 from hkps server hkps.pool.sks-keyservers.net
gpgkeys: HTTP fetch error 1: unsupported protocol
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
Regards.
Reply to:
- References:
- Public Key
- From: Dan Norton <dnorton@mindspring.com>
- Re: Public Key
- From: Mario Castelán Castro <marioxcc.MT@yandex.com>