Note that once you have added a good PGPKEYS file to your key ring, you may execute
the following command to verify the integrity and authenticity of any new
source distribution you download.
This is the Title of the Book, eMatter Edition
Copyright ?© 2007 O??™Reilly & Associates, Inc. All rights reserved.
2.3 What??™s Where in the Source | 45
pgp signature-file distribution-file ?†? for pgp version 2.x
pgpv signature-file distribution-file ?†? for pgp version 5.x
gpg --verify signature-file distribution-file ?†? for gpg
If the tar file is good, gpg(1) will report that the signature is valid. For example:
% gpg --verify sendmail.8.14.1.tar.gz.sig sendmail.8.14.1.tar.gz
gpg: Signature made Tue Jan 09 12:11:36 2007 PST using RSA key ID 7093B841
gpg: Good signature from "Sendmail Signing Key/2007
"
Primary key fingerprint: D9 FD C5 6B EE 1E 7A A8 CE 27 D9 B9 55 8B 56 B6
Here the phrase Good signature means that the distribution file is good and was not
modified after it was signed. As an additional precaution, make sure the fingerprint
displayed matches one of the official fingerprints shown earlier.
In addition to the good output just shown, you may also get occasional warnings
about your own setup. For example, the following warns about your local gpg(1)
setup, not about the validity of the distribution:*
gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Pages:
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104