From: Jessie Frazelle
Subject: GPG Key
I swear I looked all over the website and downloads page [1]. But I
cannot find what key the tarballs are signed with to import to verify.
I am so sorry for bothering a mailing list with such noise, especially
because as much as I try I know they have to be somewhere and I am
just missing it.
Thanks in advance.
[1] https://alioth.debian.org/frs/?group_id=30105
Check the signature
Let try with the CCID driver. Download the 2 files: ccid-1.4.20.tar.bz2 and ccid-1.4.20.tar.bz2.asc and try to verify the signature.$ gpg2 ccid-1.4.20.tar.bz2.asc
gpg: assuming signed data in 'ccid-1.4.20.tar.bz2'
gpg: Signature made Wed Aug 5 13:23:24 2015 CEST using RSA key ID E8F9C57E
gpg: Can't check signature: No public key
The signing key ID is E8F9C57E. We need to find this public key.
Fetch the public GPG key
You can use your web search engine for "E8F9C57E". It will return many results, including the public key you are looking for.One way to get the key is to ask a key server using:
$ gpg2 --keyserver pgp.mit.edu --recv-key E8F9C57E gpg: requesting key E8F9C57E from hkp server pgp.mit.edu gpg: key E8F9C57E: public key "Ludovic Rousseau" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
I used pgp.mit.edu as key server but you can use another one.
Check the signature, again
Then we can verify the signature:$ gpg2 ccid-1.4.20.tar.bz2.asc gpg: assuming signed data in 'ccid-1.4.20.tar.bz2' gpg: Signature made Wed Aug 5 13:23:24 2015 CEST using RSA key ID E8F9C57E gpg: Good signature from "Ludovic Rousseau" [unknown] gpg: aka "Ludovic Rousseau " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F5E1 1B9F FE91 1146 F41D 953D 78A1 B4DF E8F9 C57E
The signature is correct. But the key is not trusted.
Trust the public key?
Then you can verify that the public key ID E8F9C57E is really my public key. You will need to use the web of trust for that.Maybe you trust one of the keys that signed my public key (level 1)?
Or maybe you trust a key that signed a key that signed my key (level 2)?
etc.
My GPG public key is also available from my web page at http://ludovic.rousseau.free.fr/