The Debian repositories on www.lesbonscomptes.com are signed, and most of the other download files are checksummed and signed. The following describes how to download and set up the public keys, and how they are used.
The first section 'Quick' if you are in a hurry or not interested by the details. See 'More details' further on for other explanations.
Quick: installing the keys into the 'apt' keyring
The first step is to download my public key from this server or from the sks key servers.
Either download from lesbonscomptes.com
Download the public key from this server, then import it into your keyring:
gpg --import ~/Downloads/jf-at-dockes.org.pgp
Or use the sks key servers
You may need to install the 'dirmngr' package which is the utility which lets gpg access the key servers:
sudo apt install dirmngr
lesbonscomptes repository public key from the keyservers:
gpg --keyserver pool.sks-keyservers.net --recv-key F8E3347256922A8AE767605B7808CE96D38B9201
In both cases, add the public key to the 'apt' keyring
gpg --export '7808CE96D38B9201' | sudo apt-key add -
Most distribution files (tar, zip, setup…) have associated
checksum files. This allows checking that the files are not corrupted by
copying or transmission.
E.g, after downloading
recoll-1.21.5.tar.gz.sha256, you can run the following to verify the file
sha256sum recoll-1.21.5.tar.gz > mynewchecksum diff mynewchecksum recoll-1.21.5.tar.gz.sha256
Using gpg, you can verify the file integrity and origin - it was signed by me - in one step:
gpg upmpdcli-1.1.3.tar.gz.asc gpg: assuming signed data in `upmpdcli-1.1.3.tar.gz' gpg: Signature made lun. 13 mars 2017 16:27:20 CET gpg: using RSA key 0x7808CE96D38B9201 gpg: Good signature from "Jean-Francois Dockes <email@example.com>" [ultimate] gpg: aka "Jean-Francois Dockes <firstname.lastname@example.org>" [ultimate] Primary key fingerprint: F8E3 3472 5692 2A8A E767 605B 7808 CE96 D38B 9201
More details about the signatures
The download files have detached gpg signatures (same file name, with '.asc' added). These provide a slight amount of security against tampering on the WEB server, (very slight because the keys are currently self-signed).
The public keys are also stored on an independant web site (different hosting provider, passwords, etc), you can cut/paste them from:
This is also unsecure because you don’t know that I (J.F. Dockes) set up the site. Still, it’s an additional element which an attacker would need to control.
I have been using two keys to sign the files, an older, not used any more, and a current, more secure, one.
The older key (1024 bits) is supposed to be a bit short which is why it is not used any more:
pub 1024D/0x32D9C2A835ED066C 2009-10-18 [expires: 2017-02-21] Key fingerprint = 4C6E 80B6 374D CD5F 53AB 706A 32D9 C2A8 35ED 066C uid [ultimate] Jean-Francois Dockes <email@example.com> sub 2048g/0xF93B49FFEB13BE77 2009-10-18
The newer key is signed with the old one:
pub 4096R/0x7808CE96D38B9201 2016-02-21 [expires: 2017-02-20] Key fingerprint = F8E3 3472 5692 2A8A E767 605B 7808 CE96 D38B 9201 uid [ultimate] Jean-Francois Dockes <firstname.lastname@example.org> uid [ultimate] Jean-Francois Dockes <email@example.com> sub 4096R/0x45C4053F9AA984A2 2016-02-21 [expires: 2017-02-20]
You can receive the key from the keyservers using:
gpg --recv-key '4C6E 80B6 374D CD5F 53AB 706A 32D9 C2A8 35ED 066C' gpg --recv-key 'F8E3 3472 5692 2A8A E767 605B 7808 CE96 D38B 9201'
You can then check the signature on any file by downloading the parallel .asc file and using, e.g.:
gpg --verify some-tar-file.tar.gz.asc