- publishing free software manuals
GNU Scientific Library Reference Manual - Third Edition (v1.12)
by M. Galassi, J. Davies, J. Theiler, B. Gough, G. Jungman, P. Alken, M. Booth, F. Rossi
Paperback (6"x9"), 592 pages, 60 figures
ISBN 0954612078
RRP £24.95 ($39.95)

Get a printed copy>>>

E GPG verification

The official source-code releases of the GNU Scientific Library on ftp.gnu.org are digitally signed with gpg, the GNU Project's cryptography tool. You can verify the integrity of the GSL source code by checking its signature against the maintainer's key.

For the benefit of owners of this printed edition of the manual, the official fingerprint of the maintainer's key is reproduced here:

(see printed edition for key fingerprint)

This fingerprint has been obtained directly from the GSL maintainer for inclusion in this printed manual. To check the GSL source code against the maintainer's key follow the procedure below, ensuring that exactly the same sequence of hexadecimal digits is shown as the fingerprint. In the event that the signing key changes, any new fingerprint will be printed in future editions of this manual.

Checking file signatures

To check a GSL release you will need the gpg and gpgv command-line tools installed, and the public key of the GSL maintainer, Brian Gough. This key is available from the Network Theory website--to download it use the GNU wget command like this,

$ wget http://www.network-theory.co.uk/download/gpg.txt

The key will be stored in the file ‘gpg.txt’. You will then need to check the fingerprint of the downloaded key against the one printed in this manual--the security of this procedure depends on this step. The command to display the fingerprint of the downloaded key is,

$ gpg --with-fingerprint gpg.txt
pub  1024D/64069D5C 2002-03-19 Brian Gough 
     Key fingerprint = .... hexadecimal digits ....
sub  1024g/2E410647 2004-08-27

The hexadecimal digits of the key fingerprint in the output should match those printed in this manual. If there is any discrepancy, the downloaded key should not be used.(9)

Assuming the fingerprint is correct, import the key onto a keyring named ‘gsl’, ready for actual use:

$ gpg --no-default-keyring --keyring gsl --import gpg.txt
gpg: ~/.gnupg/gsl: keyring created
gpg: key 64069D5C: public key imported
gpg: Total number processed: 1
gpg:               imported: 1

You can now check the source code. You need both the tar file, e.g. ‘gsl-1.12.tar.gz’, and its signature file, e.g. ‘gsl-1.12.tar.gz.sig’(10) from the ‘gnu/gsl’ directory on ftp.gnu.org.

The gpgv command is used to verify the file,

$ gpgv --keyring gsl gsl-1.12.tar.gz.sig 
gpgv: Signature made Mon 15 Dec 2008 18:26:47 GMT
  using DSA key ID 64069D5C
gpgv: Good signature from "Brian Gough 

If you see the message Good signature you can be confident that the file has not been tampered with (assuming the fingerprint displayed earlier matches the one printed in this manual).

ISBN 0954612078GNU Scientific Library Reference Manual - Third Edition (v1.12)See the print edition