where can I find the public key for Gnu Emacs?

Question

I have used emacs for only half a year from 23.1 to 23.3.

Every time I tried to find gpg public key for emacs so that I could check tar.gz package with tar.gz.sig released with every new version, I failed.

It seems I should fetch public key first, and I searched the website of emacs, but never found a sign...

I can only find SHA1 checksum in the mailing list http://lists.gnu.org/archive/html/info-gnu-emacs/2011-03/msg00000.html to do the integrity check

How do I do this?

score 40 · Answer 1 · answered Apr 18 '11 at 10:40

If you try to verify the signature using

gpg --verify <pkg>.key

you'll get an output like the following:

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Can't check signature: No public key

The key ID you are looking for is BE216115, so you ask gpg to retrieve it using:

gpg --recv-keys BE216115

Which resulted in the following on my installation:

gpg: requesting key BE216115 from hkp server keys.gnupg.net
gpg: key BE216115: public key "Francesco Potortì <pot@potorti.it>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: depth: 2  valid:   6  signed:   1  trust: 0-, 0q, 0n, 6m, 0f, 0u
gpg: Total number processed: 1
gpg:               imported: 1

Now, you can verify it. But since you haven't assigned any trust to this key, the output will be:

gpg: Signature made 02/17/05 14:02:42 GTB Standard Time using DSA key ID BE216115
gpg: Good signature from "Francesco Potortì <pot@potorti.it>"
gpg:                 aka "Francesco Potortì <pot@gnu.org>"
gpg:                 aka "Francesco Potortì <Potorti@isti.cnr.it>"
gpg:                 aka "Francesco Potortì <pot@softwarelibero.it>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4B02 6187 5C03 D6B1 2E31  7666 09DF 2DC9 BE21 6115

So, you will know that the signature is valid, but you are not trusting the public key. You can trust or sign the public key using:

gpg --edit-key BE216115

In the command prompt type help to see all the available options. For further information, see Using the GNU Privacy Guard

How do I know I can trust you (`BE216115` being the key)? Also simply trusting any added key does not seem to be a good practice. — Zelphir Kaltstahl, May 24 '17 at 16:57

score 32 · Answer 2 · edited Apr 20 '19 at 00:16

32

The GNU keyring is at https://ftp.gnu.org/gnu/gnu-keyring.gpg

You can import them locally (after downloading) with

gpg --import gnu-keyring.gpg

edited Apr 20 '19 at 00:16

phils

71,335
11
153
198

answered Apr 19 '11 at 02:17

JSON

4,487
22
26

Thanks. The accepted answer does not specify what to do when there is no keyserver. – Ezekiel Victor Jan 30 '15 at 03:03
Isn't this kinda overkill for just verifying downloads? – Jeff Burdges Feb 04 '15 at 09:55
7

@JeffBurdges If you're downloading software that you'll then install and run (possibly as root) it seems reasonable to verify that it's the right software. – Anschel Schaffer-Cohen Oct 03 '15 at 02:40

phils · Answer 3 · 2019-04-20T00:20:58.367

17

There is a README file at the root level of the GNU FTP server which explains how to use the signatures.

See https://ftp.gnu.org/README for the up-to-date version.

The current file says:

There are also .sig files, which contain detached GPG signatures of the above
files, automatically signed by the same script that generates them.

You can verify the signatures for gnu project files with the keyring file from:
  https://ftp.gnu.org/gnu/gnu-keyring.gpg

In a directory with the keyring file, the source file to verify and the
signature file, the command to use is:

  $ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig

edited Apr 20 '19 at 00:20

answered Mar 08 '15 at 12:37

phils

71,335
11
153
198

1

It turns out that your answer is - for Emacs-26.1. at least - the only still working, thanks a lot. – Dieter.Wilhelm Jun 01 '18 at 09:29
I've also seen internal GNU Maintainer discussion talking about the difficulty with keyservers and advising people to use the keyring. Thus, this answer is closest to what is most widely understood to "just work" in the GNU community. – cryptarch Jul 02 '22 at 06:16

score 15 · Answer 4 · answered Mar 07 '15 at 18:07

The answer from @vhallac is now out of date (I'm trying to verify an emacs-24.4 download). If you don't want to download and import the entire GNU keyring (as @JSON discussed), here's a way to get this done. In this answer I'll show what works today but also how to figure out what will work a year from now.

First download emacs and its .sig file. I have:

$ ls | grep emacs
emacs-24.4.tar.xz
emacs-24.4.tar.xz.sig

Assuming you already have gpg installed, try to verify it:

$ gpg --verify emacs-24.4.tar.xz.sig 
gpg: Signature made Mon 20 Oct 2014 02:58:21 PM EDT using RSA key ID A0B0F199
gpg: Can't check signature: public key not found

In this attempt, it fails (you'll see a successful attempt at the end of this post). I don't have the public key. The output tells you which public key you need to obtain: A0B0F199. (This is the thing that will most likely change in the future.)

So I then try to download it with the default command:

$ gpg --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
(...hangs here...)

It just hangs. That's because I have ufw (my Linux firewall software) blocking most ports. You can tell gpg to use port 80, like so:

$ gpg --keyserver hkp://keys.gnupg.net:80 --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
gpgkeys: key A0B0F199 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

That got through the firewall, but fails because, for some reason, the Emacs/FSF keys are no longer being stored on the gnupg server. So I tried the other keyserver I know about and have some level of trust of:

$ gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server pool.sks-keyservers.net
gpg: key A0B0F199: public key "Glenn Morris <rgm@gnu.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

OK, it worked. Now check it:

$ gpg --list-keys
...
pub   2048R/A0B0F199 2012-12-23 [expires: 2015-12-23]
uid                  Glenn Morris <rgm@gnu.org>
sub   2048R/951C59EC 2012-12-23 [expires: 2015-12-23]

Yep, got it.

Now I can verify the downloaded emacs tarball:

$ gpg --verify emacs-24.4.tar.xz.sig 
gpg: Signature made Mon 20 Oct 2014 02:58:21 PM EDT using RSA key ID A0B0F199
gpg: Good signature from "Glenn Morris <rgm@gnu.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B294 26DE FB07 724C 3C35  E5D3 6592 E9A3 A0B0 F199

The signature is "good", but not trusted. See the other answers for how to trust that key.

You can create a gpg.conf file with a line for the key server `keyserver hkp://pool.sks-keyservers.net:80`. Put this gpg.conf file into `~/.gnupg` (under unix-like environments) or into `c:/Users/USERNAME/AppData/Roaming/gnupg` under Windows — Jérôme Radix, Mar 27 '15 at 15:27

where can I find the public key for Gnu Emacs?

4 Answers4