LFS Package GPG Signature

Ronald Hummelink maillist at hummelink.xs4all.nl
Mon Jun 7 09:27:06 PDT 2004

Jeroen Coumans wrote:

> Archaic said the following on 07-06-2004 13:45:
>> On Mon, Jun 07, 2004 at 09:45:57AM +0200, Ronald Hummelink wrote:
>>> IMHO this is very damn normal way to get the public key from 
>>> someone, the LFS book doesn't mention a lot of things with this very 
>>> reason.
>> It is common practice to mention on a web site how to get a public key.
>> There is nothing wrong with having a page for it and a link in the book.
> Agree, especially since it's a relatively new proces. Heck, I don't 
> even know how to verify a package by its md5sum, let alone how to 
> verify with a GPG key. Some basic instructions are very welcome.
This is what falls in the command --help RTFM job, which any lfser ought 
to be capable of.

Just like the good old:
md5sum --help
  -c, --check             check MD5 sums against given list

$ md5sum -c MD5SUMS

we have:
gpg --help
     --verify                   verify a signature

resulting in:
$ gpg --verify lfs-packages-5.1.1.tar.asc

I'd rather worry about the fact that the tarball is signed not being 
mentioned in the book, then provide these basic commands which are 
easily found by doing your daily RTFM. It is totally against the 
not-spoon-feed everything policy of the last years in the lfs book.


More information about the lfs-dev mailing list