[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Verifying GPG keys for Ubuntu install

To: Brian Foley <brianf@sindar.net>
Subject: Re: Verifying GPG keys for Ubuntu install
From: Graham Percival <gperciva@tarsnap.com>
Date: Fri, 21 Jan 2022 14:13:27 -0800
Cc: tarsnap-users@tarsnap.com
In-reply-to: <e15f6258-0858-f159-d4cf-b80665ec088a@sindar.net>
References: <e15f6258-0858-f159-d4cf-b80665ec088a@sindar.net>

Thanks for the report!  Yes, the tarsnap archive keys recently changed -- we
update them every year in January.  I think that I updated all relevant parts
of the website, but I'm always willing to believe that I screwed something up.

Alternate source, if you want more confirmation than a mere email:
https://mobile.twitter.com/cperciva/status/1484314545199796225

When I do:
$ wget https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
$ gpg tarsnap-deb-packaging-key.asc 

I see:

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2021-10-26 [SC] [expires: 2023-02-01]
      C8AC97032A76382306D2A315B364F774EAC3C4DF
uid           Tarsnap .deb packages signing key (Tarsnap Backup Inc.) <pkg-deb@tarsnap.com>

Could you please try the same commands?

WARNING: this morning, I re-discovered that if you already have a
tarsnap-deb-packaging-key.asc file in your directory, then wget will save the
new file to tarsnap-deb-packaging-key.asc.1 instead of overwriting the
existing file.  So if you already have the 2021 version of the key, that can
spark a lot of confusion.

I'm wondering if we should stick the year in the filename.  That means that
the copy&paste instructions would have to change each year (which is why we
didn't do this before), but the annual key rotation bites a few people every
year.

Cheers,
- Graham

On Fri, Jan 21, 2022 at 10:00:47PM +0000, Brian Foley wrote:
> Hi All,
> 
> 
> I am following these instructions to install tarsnap on ubuntu: 
> https://www.tarsnap.com/pkg-deb.html
> 
> 
> The instructions say:
> 
> gpg --list-packets tarsnap-deb-packaging-key.asc | grep signature
> 
> :signature packet: algo 1, keyid B364F774EAC3C4DF
> 
> :signature packet: algo 17, keyid 38CECA690C6A6A6E
> 
> The first keyid is the Tarsnap deb packaging key, while the second is 
> Colin Percival's key (|0x38CECA690C6A6A6E|). These keyid values should 
> match those on a public key server search for 0xB364F774EAC3C4DF 
> <https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xB364F774EAC3C4DF>. 
> 
> 
> 
> However, when I perform the same steps I get:
> 
> gpg --list-packets tarsnap-deb-packaging-key.asc | grep signature
> 
> :signature packet: algo 1, keyid BF75EEAB040E447C
> 
> :signature packet: algo 17, keyid 38CECA690C6A6A6E
> 
> 
> Has the tarsnap GPG key changed?  If so, can the docs on the website be 
> updated for clarity?
> 
> 
> Thanks,
> 
> 
> Brian

Follow-Ups:
- Re: Verifying GPG keys for Ubuntu install
  - From: Brian Foley <brianf@sindar.net>

References:
- Verifying GPG keys for Ubuntu install
  - From: Brian Foley <brianf@sindar.net>

Prev by Date: Verifying GPG keys for Ubuntu install
Next by Date: Re: Verifying GPG keys for Ubuntu install
Previous by thread: Verifying GPG keys for Ubuntu install
Next by thread: Re: Verifying GPG keys for Ubuntu install
Index(es):
- Date
- Thread