Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Wednesday, August 26, 2015

How to get my GPG public key?

On the MUSCLE mailing list we got the following question:
From: Jessie Frazelle
Subject: GPG Key

I swear I looked all over the website and downloads page [1]. But I
cannot find what key the tarballs are signed with to import to verify.
I am so sorry for bothering a mailing list with such noise, especially
because as much as I try I know they have to be somewhere and I am
just missing it.

Thanks in advance.


[1] https://alioth.debian.org/frs/?group_id=30105

Check the signature

Let try with the CCID driver. Download the 2 files: ccid-1.4.20.tar.bz2 and ccid-1.4.20.tar.bz2.asc and try to verify the signature.

$ gpg2 ccid-1.4.20.tar.bz2.asc
gpg: assuming signed data in 'ccid-1.4.20.tar.bz2'
gpg: Signature made Wed Aug  5 13:23:24 2015 CEST using RSA key ID E8F9C57E
gpg: Can't check signature: No public key

The signing key ID is E8F9C57E. We need to find this public key.

Fetch the public GPG key

You can use your web search engine for "E8F9C57E". It will return many results, including the public key you are looking for.

One way to get the key is to ask a key server using:
$ gpg2 --keyserver pgp.mit.edu --recv-key E8F9C57E
gpg: requesting key E8F9C57E from hkp server pgp.mit.edu
gpg: key E8F9C57E: public key "Ludovic Rousseau " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

I used pgp.mit.edu as key server but you can use another one.

Check the signature, again

Then we can verify the signature:
$ gpg2 ccid-1.4.20.tar.bz2.asc
gpg: assuming signed data in 'ccid-1.4.20.tar.bz2'
gpg: Signature made Wed Aug  5 13:23:24 2015 CEST using RSA key ID E8F9C57E
gpg: Good signature from "Ludovic Rousseau " [unknown]
gpg:                 aka "Ludovic Rousseau " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F5E1 1B9F FE91 1146 F41D  953D 78A1 B4DF E8F9 C57E

The signature is correct. But the key is not trusted.

Trust the public key?

Then you can verify that the public key ID E8F9C57E is really my public key. You will need to use the web of trust for that.
Maybe you trust one of the keys that signed my public key (level 1)?
Or maybe you trust a key that signed a key that signed my key (level 2)?
etc.

My GPG public key is also available from my web page at http://ludovic.rousseau.free.fr/