The Debian repositories on www.lesbonscomptes.com are signed, and most of the other download files are checksummed and signed. The following describes how to download and set up the public keys, and how they are used.

The first section 'Quick' if you are in a hurry or not interested by the details. See 'More details' further on for other explanations.

Quick: installing the repository keys for apt

Debian Stretch and newer

Either:

Or:

  • Create it by importing the key from the key servers:

gpg --no-default-keyring --keyring ./lesbonscomptes.gpg --keyserver keyserver.ubuntu.com --recv-key F8E3347256922A8AE767605B7808CE96D38B9201

In both cases:

  • Copy the resulting lesbonscomptes.gpg to /usr/share/keyrings/.

Debian Jessie

  • Either download the public key from this server, then import it into your keyring:

    gpg --import ~/Downloads/jf-at-dockes.org.pub
  • Or use a public key server, and perform download and import to the keyring in one step:

    You may need to install the 'dirmngr' package first: sudo apt install dirmngr. Then:

gpg --keyserver keyserver.ubuntu.com --recv-key F8E3347256922A8AE767605B7808CE96D38B9201
  • In both cases, finally add the public key to the 'apt' keyring:

gpg --export '7808CE96D38B9201' | sudo apt-key add -

File checksums

Most distribution files (tar, zip, setup…​) have associated sha256 checksum files. This allows checking that the files are not corrupted by copying or transmission.

E.g, after downloading recoll-1.21.5.tar.gz, and recoll-1.21.5.tar.gz.sha256, you can run the following to verify the file integrity:

sha256sum recoll-1.21.5.tar.gz > mynewchecksum
diff mynewchecksum recoll-1.21.5.tar.gz.sha256

Using gpg, you can verify the file integrity and origin - it was signed by me - in one step:

gpg upmpdcli-1.1.3.tar.gz.asc
gpg: assuming signed data in `upmpdcli-1.1.3.tar.gz'
gpg: Signature made lun. 13 mars 2017 16:27:20 CET
gpg:                using RSA key 0x7808CE96D38B9201
gpg: Good signature from "Jean-Francois Dockes <jf@dockes.org>" [ultimate]
gpg:                 aka "Jean-Francois Dockes <jfdockes@gmail.com>" [ultimate]
Primary key fingerprint: F8E3 3472 5692 2A8A E767  605B 7808 CE96 D38B 9201

More details about the signatures

The download files have detached gpg signatures (same file name, with '.asc' added). These provide a slight amount of security against tampering on the WEB server, (very slight because the keys are currently self-signed).

The public keys are also stored on an independant web site (different hosting provider, passwords, etc), you can cut/paste them from:

http://www.dockes.org/

This is also unsecure because you don’t know that I (J.F. Dockes) set up the site. Still, it’s an additional element which an attacker would need to control.

You can receive the key from the keyservers using:

gpg --keyserver keyserver.ubuntu.com --recv-key F8E3347256922A8AE767605B7808CE96D38B9201

You can then check the signature on any file by downloading the parallel .asc file and using, e.g.:

gpg --verify some-tar-file.tar.gz.asc

Note: some very old files may have been signed with an older key. I don’t think that it is in use for any current version, but you can also get it from the server:

gpg --keyserver keyserver.ubuntu.com --recv-key 4C6E80B6374DCD5F53AB706A32D9C2A835ED066C

Apt repositories

The apt repositories are also signed. Only the newer key should be needed.

Reference information