Seguindo as notas no site do kernel.org, mas não consigo verificar a assinatura do kernel. Eu tentei usar o script fornecido para lidar com isso para mim, mas isso também falhou.
user@localhost ~ $ sh ./get-verified-tarball 4.14.68
Using TMPDIR=/home/user/Downloads/linux-tarball-verify.gPukN5Mdg.untrusted
GNUPGHOME directory /home/user/.gnupg does not exist
Create it? [Y/n]y
Making sure we have all the necessary keys
gpg: invalid auto-key-locate list
Something went wrong fetching keys
A tentativa falha manualmente:
user@localhost ~ $ rm -rf .gnupg/
user@localhost ~ $ gpg2 --locate-keys [email protected] [email protected]
gpg: directory '/home/user/.gnupg' created
gpg: new configuration file '/home/user/.gnupg/gpg.conf' created
gpg: WARNING: options in '/home/user/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring '/home/user/.gnupg/pubring.gpg' created
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
user@localhost ~ $ cd kernel
user@localhost ~/kernel $ ls
linux-4.14.68.tar linux-4.14.68.tar.sign
user@localhost ~/kernel $ gpg2 --verify linux-4.14.68.tar.sign
gpg: Signature made Wed 05 Sep 2018 03:27:46 AM EDT using RSA key ID 6092693E
gpg: Can't check signature: No public key
Minha configuração:
user@localhost ~/kernel $ cat /etc/system-release
CentOS Linux release 7.2.1511 (Core)
user@localhost ~/kernel $ uname -a
Linux localhost.localdomain 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
user@localhost ~/kernel $ gpg2 --version
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Linux kernel releases PGP signatures
Kernel.org web of trust. PGP keys used by members of kernel.org are cross-signed by other members of the Linux kernel development community (and, frequently, by many other people).
www.kernel.org
o que preciso fazer para resolver isso e poder verificar sigs?