Re: GPG public keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jamie Evans <jamie@xxxxxxxxxxxxxx> writes:

> Can you please point me to the public GPG keys used for source code signing?

I suspect that you are asking about our project, but instead of
throwing you a fish, I'll show you how to catch one yourself.

In a copy of linux kernel repository I have lying around from a
random past, I did this:

    $ git log --show-signature

and saw something like this:

    commit c6fa8e6de3dc420cba092bf155b2ed25bcd537f7
    merged tag 'arm64-fixes'
    gpg: Signature made Wed 07 Oct 2015 03:10:34 AM PDT using RSA key ID 84C16334
    gpg: Can't check signature: public key not found
    Merge: e82fa92 62c6c61
    Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
    Date:   Wed Oct 7 18:17:46 2015 +0100

        Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/li...

I do not have the public key with key ID 84C16334, but I can ask
public keyservers.  Put 0x84C16334 in "Search String" in pgp.mit.edu
and click "Do the search!"--it would result in the key that was used
to sign the merge request that resulted in this merge.

I also can do this:

    $ git tag -v v3.0

and I would see something like:

    object 02f8c6aee8df3cdc935e9bdd4f2d020306035dbe
    type commit
    tag v3.0
    tagger Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> 1311301049 -0700

    Linux 3.0

    w00t!
    gpg: Signature made Thu 21 Jul 2011 07:17:44 PM PDT using DSA key ID 76E21CBB
    gpg: Good signature from "Linus Torvalds (tag signing key) <torvalds@xxxxxxxx>"
    ...

to find that Linus's tag signing key has ID 0x76E21CBB (I do have
his key in my keyring, so this does not say "Can't check").

Perhaps you can do the same to whatever project you are interested
in.  For example, here is a starting point to do the same for our
recent v2.6.4 tag:

    $ git tag -v v2.6.4
    gpg: Signature made Tue 08 Dec 2015 02:12:50 PM PST using RSA key ID 96AFE6CB
    gpg: Can't check signature: public key not found
    error: could not verify the tag 'v2.6.4'

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]