按照这些说明,我下载并解压了内核。 https://priyachalakkal.wordpress.com/2013/01/19/verifying-digital-signature-using-gpg/
然后我尝试验证签名,但出现意外错误。这不是记录基本方法的网站所描述的成功或失败场景之一。
我需要提供一个命令行标志来告诉它在哪里寻找公钥吗?
~# gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 79BE3E4300411886
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 79BE3E4300411886: public key "Linus Torvalds <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
~# gpg --verify linux-5.6.9.tar.sign
gpg: assuming signed data in 'linux-5.6.9.tar'
gpg: Signature made Fri 01 May 2020 11:51:56 PM PDT
gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Can't check signature: No public key
更新1:根据@StephenKitt的回答,我尝试获取第一条消息中指示的密钥(为了让它找到用户ID,我必须指定密钥服务器),但结果不是预期的:
~# gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 647F28654894E3BD457199BE38DBBDC86092693E
gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
~# gpg --verify linux-5.6.9.tar.sign
gpg: assuming signed data in 'linux-5.6.9.tar'
gpg: Signature made Fri 01 May 2020 11:51:56 PM PDT
gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman <[email protected]>" [unknown]
gpg: aka "Greg Kroah-Hartman <[email protected]>" [unknown]
gpg: aka "Greg Kroah-Hartman (Linux kernel stable release signing key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:没有迹象表明该签名属于所有者。主键指纹:647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
更新2:通过一些谷歌搜索,我能够弄清楚如何处理不可信签名警告(请参阅相应答案中对斯蒂芬的评论/回复)
~# gpg2 --tofu-policy good 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Setting TOFU trust policy for new binding <key: 647F28654894E3BD457199BE38DBBDC86092693E, user id: Greg Kroah-Hartman <[email protected]>> to good.
gpg: Setting TOFU trust policy for new binding <key: 647F28654894E3BD457199BE38DBBDC86092693E, user id: Greg Kroah-Hartman <[email protected]>> to good.
gpg: Setting TOFU trust policy for new binding <key: 647F28654894E3BD457199BE38DBBDC86092693E, user id: Greg Kroah-Hartman (Linux kernel stable release signing key) <[email protected]>> to good.
~# gpg2 --trust-model tofu --verify linux-5.6.9.tar.sign
gpg: assuming signed data in 'linux-5.6.9.tar'
gpg: Signature made Fri 01 May 2020 11:51:56 PM PDT
gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman <[email protected]>" [full]
gpg: aka "Greg Kroah-Hartman <[email protected]>" [full]
gpg: aka "Greg Kroah-Hartman (Linux kernel stable release signing key) <[email protected]>" [full]
gpg: [email protected]: Verified 1 signatures in the past 0 seconds.
Encrypted 0 messages.
gpg: [email protected]: Verified 1 signatures in the past 0 seconds. Encrypted
0 messages.
gpg: [email protected]: Verified 1 signatures in the past 0 seconds. Encrypted
0 messages.
答案1
你没有正确的钥匙; 5.6.9 档案由 Greg Kroah-Hartman 签名,而不是 Linus。跑步
gpg --recv-keys 647F28654894E3BD457199BE38DBBDC86092693E
将允许您验证存档。 (这是您第二次调用的指纹gpg。)
检索密钥后收到的消息表明两件事:
- 档案的签名很好(“良好的签名来自”...);
- 但你没有证据证明你下载的密钥确实是格雷格的。
基本上,这意味着只要您信任密钥,就可以信任存档。 GPG 维护一个信任数据库,该数据库跟踪从您的密钥到其他人的链接;大多数人(包括你)都没有。这是基于信任网络的,并且被认为作为通用工具是不切实际的;在大多数情况下,“首次使用时信任”(TOFU) 更简单,也同样有用。您可以使用以下选项更改信任模型--trust-model;看GnuPG 手册了解详细信息(和讨论)。