[Slackbuilds-users] GPG signatures of all our repository entries

Eric Hameleers alien at slackbuilds.org
Tue Feb 6 11:07:09 UTC 2007

Hash: SHA1


As of today, the SlackBuilds.org admin team  will sign new submissions
with our SlackBuilds.org GPG key when we approve and upload them to
the repository.

With the use of our GPG signatures, you can finally make sure that
files you download from our site, but also from unofficial SBo mirrors
are "the real thing": the script you downloaded is indeed the version
we approved.
We want to keep our reputation of high standards and integrity intact.
Indeed, we want you to trust our statement that the SlackBuild scripts
in our repository will not harm your computer ;-)

Other people are of course still able (and allowed!) to make changes
to whatever SlackBuilds we provide, but a modified tarball will no
longer correctly verify as having been signed by:
 "SlackBuilds.org Development Team <slackbuilds-devel at slackbuilds.org>"

In the meantime, we have generated a signature file for every tarball
that was already in our repository. If you now look at the page for
any SlackBuild, you will see it listed right below the header
"Download SlackBuild:". Together with the link to the tarball itself
there is now also a link to the ".asc" signature file.

How do you use this GPG signature to verify that we actually signed
the tarball you downloaded? I assume you have already generated a GPG
keypair for your own use - if not, read a HOWTO at for instance

(1) First, download the SBo public key from our site:
http://slackbuilds.org/GPG-KEY or get it from any public keyserver
such as http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9C7BA3B6

(2) Import this public key into your GPG keyring:
    gpg --import GPG-KEY

(3) Download a SBo repository entry: the tarball as well as the .asc
signature files. Say, you download foo.tar.gz and foo.tar.gz.asc

(4) Verify the signature for the 'foo' download by running this command:
  gpg --verify foo.tar.gz.asc
You should see something resembling the following output:
gpg: Signature made Tue 06 Feb 2007 10:51:06 AM CET using DSA key ID
gpg: Good signature from "SlackBuilds.org Development Team
<slackbuilds-devel at slackbuilds.org>"

If the signature does not match the tarball you will get the following
 message (in which case you can be certain that someone modified the
contents of the tarball after we created the signature):
gpg: Signature made Tue 06 Feb 2007 11:40:46 AM CET using DSA key ID
gpg: BAD signature from "SlackBuilds.org Development Team
<slackbuilds-devel at slackbuilds.org>"

We had a question whether a MD5SUM would be sufficient to check a
downloaded tarball.
Well, you can use the md5sum to check that your download has not been
corrupted for instance during download. But anyone hosting a copy of
our repository files can modify thir contents and then re-create the
MD5SUM files, and you would never know. With the GPG signatures,
*ONLY* the people in possession of the secret key (i.e. the SBo
admins) can (re-)create the signature files.

Cheers, Eric

- --

Eric Hameleers                     >')
ICQ: 151799386                     ( \
Jabber: alien at jabber.xs4all.nl      ^^`
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Slackbuilds-users mailing list