Does anyone know where to find the ISC signing keys for source packages?
Casey Deccio
casey at deccio.net
Tue Dec 28 21:50:05 UTC 2010
On Tue, Dec 28, 2010 at 1:37 PM, Thomas Schulz <schulz at adi.com> wrote:
>>
>> At Tue, 28 Dec 2010 15:50:23 -0500 (EST), Thomas Schulz wrote:
>> >
>> > It looks like I am a little dim today. Given gpg and the key, what steps
>> > do I do to verify a source package?
>>
>> General case:
>>
>> $ gpg --verify sigfile tarball
>>
>> Eg:
>>
>> $ gpg --verify bind-9.7.2-P3.tar.gz.sha256.asc bind-9.7.2-P3.tar.gz
>>
>> We probably should add this to the aforementioned web page.
>
> It looks like I have to somehow make the public key available. When I
> issue the above command I get:
>
> gpg: Can't check signature: public key not found
>
Before checking the signature, you need to import ISC's public key
into your key ring. Something like this will work:
curl https://www.isc.org/files/pgpkey2009.txt | gpg --import
Then you can run gpg --verify.
Casey
More information about the bind-users
mailing list