Verifying PGP signatures of NILFS releases

Software released via this site has corresponding PGP signatures. You are encouraged to verify the integrity of downloaded releases by verifying the signatures.

To illustrate the verification process, we use nilfs-utils-2.2.7 release as an example. You are assumed to have downloaded nilfs-utils-2.2.7.tar.bz2 (the release tarball) and nilfs-utils-2.2.7.tar.bz2.asc (the detached signature). If you don't have them yet, you can obtain them with "wget" for instance:

$ wget https://nilfs.sourceforge.io/download/nilfs-utils-2.2.7.tar.bz2
$ wget https://nilfs.sourceforge.io/download/nilfs-utils-2.2.7.tar.bz2.asc

We can test the validity of the tarball with "gpg2" or "gpg" by using "--verify" command against the signature file:

$ gpg2 --verify nilfs-utils-2.2.7.tar.bz2.asc

The likely output will be:

gpg: Signature made Thu 09 Nov 2017 09:56:24 PM JST using RSA key ID 6DEFF458
gpg: Can't check signature: No public key

This message says there is no release manager's public key in the local system. In such case, we need to import the public key from a PGP server:

$ gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 8B055AE86DEFF458

where "8B055AE86DEFF458" is the "long key ID" of the release manager's key.

Now, let's try "gpg2 --verify" again:

$ gpg2 --verify nilfs-utils-2.2.7.tar.bz2.asc
gpg: Signature made Thu 09 Nov 2017 09:56:24 PM JST using RSA key ID 6DEFF458
gpg: Good signature from "Ryusuke Konishi <konishi.ryusuke@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6147 BCD9 6F8A A0C3 527D  FF3C 8B05 5AE8 6DEF F458

This time the signature was good, however the key is not trusted. We need to verify the key used to sign this tarball (in this example 6DEFF458) actually belongs to the package manager.

The really secure way to do this is using the PGP "Web of Trust", which will give you a cryptographical chain of trust to the key. To learn about the PGP Web of Trust, please see Wikipedia article and a GnuPG manual article: Validating other keys on your public keyring.

However, this may take some time and effort. A shortcut to a reasonable level of security is to check trust paths from Ryusuke Konishi's key to the key used to sign the tarball. Use the following site: pgp.cs.uu.nl. Put the key you got in the output into the "to" field. Only, Ryusuke or people with Ryusuke's direct signature will be in charge of releasing tarballs on this site.

  • follow NILFS in RSS
  • follow NILFS in feedly
  • follow NILFS in inoReader