Re: tcb source

From: Solar Designer (solar@private)
Date: Fri Nov 29 2002 - 07:39:41 PST


On Fri, Nov 29, 2002 at 05:16:37PM +0300, Anatoly Pugachev wrote:
> On Thu, Nov 28, 2002 at 10:43:59PM +0300, Solar Designer wrote:
> > -rw-r--r--   1 ftp      ftp         35776 Nov 28 22:25 tcb-0.9.8.3.tar.gz
> > -rw-r--r--   1 ftp      ftp           331 Nov 28 22:25 tcb-0.9.8.3.tar.gz.sign
> > -rw-r--r--   1 ftp      ftp           494 Nov 28 22:33 README
> 
> just a notice...
> downloaded this files and tried to verify tcb-0.9.8.3.tar.gz with it's
> signature:
> 
> $ gpg --verify tcb-0.9.8.3.tar.gz.sign tcb-0.9.8.3.tar.gz
> gpg: Signature made Thu Nov 28 22:24:47 2002 MSK using RSA key ID 295029F1
> gpg: Can't check signature: public key not found
> 
> ofcourse signature can't be checked since i don't have your public key and

So get it. :-)

> nothing about it in the README.

There shouldn't be anything about it in the README or I'd have to
place that information into documentation of everything I place
anywhere.

Each signature file (*.sign) contains the URL:

Comment: http://www.openwall.com/signatures/

(It's added there automagically, by a script.)

It's also linked from the navigation bar on www.openwall.com (the
"signatures" link).

Additionally, besides the above URL, the PGP key is available on key
servers.  You simply notice the key ID and type:

gpg --keyserver wwwkeys.pgp.net --recv-key 295029F1

I think this is enough ways to find the key.

> suggest to write some instructions to README

I disagree.

> as like on http://www.kernel.org/signature.html

Isn't ours pretty much the same?

-- 
/sd



This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 13:43:17 PST