The Debian repositories on www.lesbonscomptes.com are signed, and most of the other download files are checksummed and signed. The following describes how to download and set up the public keys, and how they are used.

Quick

Downloading the keys

Get the public key from the keyservers:

gpg --keyserver pool.sks-keyservers.net --recv-key 'F8E3 3472 5692 2A8A E767 605B 7808 CE96 D38B 9201'

Debian repository set up

Add the key to the apt keyring.

gpg --export '7808CE96D38B9201' | sudo apt-key add -

File checksums

Most distribution files (tar, zip, setup…) have associated sha256 checksum files. This allows checking that the files are not corrupted by copying or transmission.

E.g, after downloading recoll-1.21.5.tar.gz, and recoll-1.21.5.tar.gz.sha256, you can run the following to verify the file integrity:

sha256sum recoll-1.21.5.tar.gz > mynewchecksum
diff mynewchecksum recoll-1.21.5.tar.gz.sha256

Using gpg, you can verify the file integrity and origin - it was signed by me - in one step:

gpg upmpdcli-1.1.3.tar.gz.asc
gpg: assuming signed data in `upmpdcli-1.1.3.tar.gz'
gpg: Signature made lun. 13 mars 2017 16:27:20 CET
gpg:                using RSA key 0x7808CE96D38B9201
gpg: Good signature from "Jean-Francois Dockes <jf@dockes.org>" [ultimate]
gpg:                 aka "Jean-Francois Dockes <jfdockes@gmail.com>" [ultimate]
Primary key fingerprint: F8E3 3472 5692 2A8A E767  605B 7808 CE96 D38B 9201

Signatures in more detail

The download files have detached gpg signatures (same file name, with .asc added). These provide a slight amount of security against tampering on the WEB server, (very slight because the keys are currently self-signed).

The public keys are also stored on an independant web site (different hosting provider, passwords, etc), you can cut/paste them from:

http://www.dockes.org/

This is also unsecure because you don’t know that I (J.F. Dockes) set up the site. Still, it’s an additional element which an attacker would need to control.

I have been using two keys to sign the files, an older, not used any more, and a current, more secure, one.

The older key (1024 bits) is supposed to be a bit short which is why it is not used any more:

pub   1024D/0x32D9C2A835ED066C 2009-10-18 [expires: 2017-02-21]
      Key fingerprint = 4C6E 80B6 374D CD5F 53AB  706A 32D9 C2A8 35ED 066C
uid                 [ultimate] Jean-Francois Dockes <jf@dockes.org>
sub   2048g/0xF93B49FFEB13BE77 2009-10-18

The newer key is signed with the old one:

pub   4096R/0x7808CE96D38B9201 2016-02-21 [expires: 2017-02-20]
      Key fingerprint = F8E3 3472 5692 2A8A E767  605B 7808 CE96 D38B 9201
uid                 [ultimate] Jean-Francois Dockes <jf@dockes.org>
uid                 [ultimate] Jean-Francois Dockes <jfdockes@gmail.com>
sub   4096R/0x45C4053F9AA984A2 2016-02-21 [expires: 2017-02-20]

You can receive the key from the keyservers using:

gpg --recv-key '4C6E 80B6 374D CD5F 53AB 706A 32D9 C2A8 35ED 066C'
gpg --recv-key 'F8E3 3472 5692 2A8A E767 605B 7808 CE96 D38B 9201'

You can then check the signature on any file by downloading the parallel .asc file and using, e.g.:

gpg --verify some-tar-file.tar.gz.asc

Apt repositories

The apt repositories are also signed. Only the newer key should be needed.

Once the key has been received in your gpg keyring, you can add them to the apt key ring as follows:

gpg --export '7808CE96D38B9201' | sudo apt-key add -