Dear Jerome, I do not know the answer to your direct query, but if I understand you correctly, want you want to do is install "pgadmin3". In answer to the install question: 1 Get the RPM along with its MD5 checksum. 2 Check the RPM with the checksum: [openssl dgst] md5 pgadmin3-1.4.1.rpm.asc 3 Import the "key": rpm --import pgadmin3-1.4.1.rpm.asc 4 Install the package: rpm -ivh pgadmin3-1.4.1.rpm Please see the openssl DGST and rpm man pages - in particular ensure that the environment variable $GNUPGHOME has a reasonable value such as "/usr/lib/rpm/gnupg" for SuSE 9.3. As you are using "make", you are obviously building from scratch. I would suggest you examine the RPM process and use this as your "model" for doing the job (man rpm and /usr/lib/rpm/macros). Hope this helps and I agree that only 20 million assorted packages to achieve 1 single task is vastly confusing and really mucks up the learning curve. As yet, I have found no way of beating it - I try to stick with one task and do my best to refuse going down any "blind allies". Regards, Pim Dennendal, mailto:p.dennendal@scarlet.nl On Monday 23 January 2006 11:11 am, you wrote:
On Sunday 22 January 2006 12:32, rmyster wrote:
Would someone give me an example of how to verify the integrity of the tarball against a pgp key?
Assuming you have already imported the public key: gpg --verify signaturefile tarball
@linux:~/bin> gpg --verify pgadmin3-1.4.1.tar.gz.sig gpg: Signature made Sat 10 Dec 2005 04:47:04 AM HST using DSA key ID 1A19643B gpg: Can't check signature: public key not found
@linux:~/bin> gpg --verify pgadmin3-1.4.1.tar.gz.sig pgadmin3-1.4.1.tar.gz gpg: Signature made Sat 10 Dec 2005 04:47:04 AM HST using DSA key ID 1A19643B gpg: Can't check signature: public key not found
Import the public key through a GUI with something like KGPG(part of the kdeutils3 package) or on the command line with gpg --import publickey
@linux:~/bin> gpg --import pgadmin3-1.4.1.tar.gz.sig gpg: Total number processed: 0
I'm assuming pgadmin3-1.4.1.tar.gz.sig is the signed public key.
This is confusing.
If pgadmin3-1.4.1.tar.gz.sig is not the public key then why isn't the public key in the same directory as pgadmin3-1.4.1.tar.gz.sig and pgadmin3-1.4.1.tar.gz? If pgadmin3-1.4.1.tar.gz.sig is not the public key then what is it? Is there a standard way to find/recognize the public key?
What am I doing/got wrong? Jerome ps The online documentation doesn't help much. In general, in their explanations they don't define enough terms. And they don't give enough concrete examples. Most of the time it seems you have to already know the answer to understand the answer.
For example, from http://webber.dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.3:
3.6 KEY SIGNING Using the gpg --edit-key UID command for the key that needs to be signed you can sign it with the sign command
It sounds like gpg --edit-key UID and sign are different commands. If so it is not clear how they are to be used together. A nice concrete example would be usefull here.
3.3 IMPORTING KEYS gpg --import [Filename]
Here a set of examples showing the different forms Filename could take would be useful. For example: gpg --import pgadmin3-1.4.1.tar.gz.sig
Or this:
There is one more important command that is relevant for working with keys.
gpg --edit-key UID
Using this you can edit (among other things) the expiration date, add a fingerprint and sing your key. Although it is too logic to mention. For this you need your passphrase. When entering this you will see a command line.
What does this even mean??
and last but not least:
1.2 DIGITAL SIGNATURES In order to prove that a message was really sent by the alleged sender the concept of Digital Signatures was invented. As the name says a message is digitally signed by the sender. By using this signature you can check the authenticity of a message. Using this will reduce the risk for Trojan horses (a message that claims to be a patch to a certain problem but actually contains a virus or does something bad with data on your computer). Also information or data can be verified as coming from a legitimate source and thus be regarded as real. A digital signature is made through a combination of the secret key and the text. Using the senders public key the message can be verified. Not only will be checked if the correct sender is involved, also the content will be checked. So you know that the message comes from the sender and has not been changed during the transportation process.
This is all very well in theory but it doesn't tell me what I need to know: how to use digital signatures to verify the package I want to verify. And this is a howto! One could reasonably expect to be told how to in a howto.
Maybe someone should start a blog of 'concrete examples' .
And finally. I know verifying software is import and I should learn how to do it. But,all this is a diversion from what I want to do, which is get pgadmin3-1.4.1 up and running.
Everthing goes well until 'make' says it can't find some files and quits with an error message. I join the pgadmin list and describe my problem. A resident guru says he's checked and the missing files are there, I must have a corrupted copy and did I verify my copy against his signature? So here I am once again climbing another learning curve when what I really want to be doing is climbing the learning curve of pgadmin3.
OK, I'm done.
There are more GUI frontends listed at: www.gnupg.org/(en)/related_software/frontends.html