The Debian repositories on www.lesbonscomptes.com are signed, and most of
the other download files are checksummed and signed. The following
describes how to download and set up the public keys, and how they are
used.






The first section 'Quick' if you are in a hurry or not interested by the
details. See 'More details' further on for other explanations.










Quick: installing the repository keys for apt






Debian Stretch and newer




Either:











Or:






    

  • 

    Create it by importing the key from the key servers:
    

    • 









gpg --no-default-keyring --keyring ./lesbonscomptes.gpg --keyserver keyserver.ubuntu.com --recv-key F8E3347256922A8AE767605B7808CE96D38B9201








In both cases:






    

  • 

    Copy the resulting lesbonscomptes.gpg to /usr/share/keyrings/.
    

    • 









Debian Jessie




    

  • 

    Either download the public key from this server, then import it into
your keyring:
    

    

    

    gpg --import ~/Downloads/lesbonscomptes.gpg
    

    

    

    • 

  • 

    Or use a public key server, and perform download and import to the keyring in one step:
    

    

    You may need to install the 'dirmngr' package first: sudo apt install dirmngr. Then:
    

    

    • 









gpg --keyserver keyserver.ubuntu.com --recv-key F8E3347256922A8AE767605B7808CE96D38B9201








    

  • 

    In both cases, finally add the public key to the 'apt' keyring:
    

    • 









gpg --export '7808CE96D38B9201' | sudo apt-key add -










File checksums




Most distribution files (tar, zip, setup…​)  have associated sha256 checksum files. This allows
checking that the files are not corrupted by copying or transmission.






E.g, after downloading recoll-1.21.5.tar.gz, and recoll-1.21.5.tar.gz.sha256, you can run the
following to verify the file integrity:








sha256sum recoll-1.21.5.tar.gz > mynewchecksum
diff mynewchecksum recoll-1.21.5.tar.gz.sha256








Using gpg, you can verify the file integrity and origin - it was signed by me - in one step:








gpg upmpdcli-1.1.3.tar.gz.asc
gpg: assuming signed data in `upmpdcli-1.1.3.tar.gz'
gpg: Signature made lun. 13 mars 2017 16:27:20 CET
gpg:                using RSA key 0x7808CE96D38B9201
gpg: Good signature from "Jean-Francois Dockes <jf@dockes.org>" [ultimate]
gpg:                 aka "Jean-Francois Dockes <jfdockes@gmail.com>" [ultimate]
Primary key fingerprint: F8E3 3472 5692 2A8A E767  605B 7808 CE96 D38B 9201














More details about the signatures






The download files have detached gpg signatures (same file name, with '.asc' added). These provide a
slight amount of security against tampering on the WEB server, (very slight because the keys are
currently self-signed).






The public keys are also stored on an independant web site (different hosting provider, passwords,
etc), you can cut/paste them from:








http://www.dockes.org/








This is also unsecure because you don’t know that I (J.F. Dockes) set up the site. Still, it’s an
additional element which an attacker would need to control.






You can receive the key from the keyservers using:








gpg --keyserver keyserver.ubuntu.com --recv-key F8E3347256922A8AE767605B7808CE96D38B9201








You can then check the signature on any file by downloading the parallel .asc file and using, e.g.:








gpg --verify some-tar-file.tar.gz.asc








Note: some very old files may have been signed with an older key. I don’t think that it is in use
for any current version, but you can also get it from the server:








gpg --keyserver keyserver.ubuntu.com --recv-key 4C6E80B6374DCD5F53AB706A32D9C2A835ED066C












Apt repositories






The apt repositories are also signed. Only the newer key should be needed.










Reference information






More info on OpenPGP
good practices






Validating GPG keys