|GNU Scientific Library Reference Manual - Third Edition (v1.12)|
by M. Galassi, J. Davies, J. Theiler, B. Gough, G. Jungman, P. Alken, M. Booth, F. Rossi
Paperback (6"x9"), 592 pages, 60 figures
RRP £24.95 ($39.95)
E GPG verification
The official source-code releases of the GNU Scientific Library on
ftp.gnu.org are digitally signed with
gpg, the GNU Project's cryptography tool.
You can verify the integrity of the GSL source code by checking its
signature against the maintainer's key.
For the benefit of owners of this printed edition of the manual, the official fingerprint of the maintainer's key is reproduced here:
This fingerprint has been obtained directly from the GSL maintainer for inclusion in this printed manual. To check the GSL source code against the maintainer's key follow the procedure below, ensuring that exactly the same sequence of hexadecimal digits is shown as the fingerprint. In the event that the signing key changes, any new fingerprint will be printed in future editions of this manual.
Checking file signatures
To check a GSL release you will need the
command-line tools installed, and the public key of the GSL
maintainer, Brian Gough. This key is available from the Network
Theory website--to download it use the GNU
wget command like this,
$ wget http://www.network-theory.co.uk/download/gpg.txt
The key will be stored in the file ‘gpg.txt’. You will then need to check the fingerprint of the downloaded key against the one printed in this manual--the security of this procedure depends on this step. The command to display the fingerprint of the downloaded key is,
$ gpg --with-fingerprint gpg.txt pub 1024D/64069D5C 2002-03-19 Brian Gough <email@example.com> Key fingerprint = .... hexadecimal digits .... sub 1024g/2E410647 2004-08-27
The hexadecimal digits of the key fingerprint in the output should match those printed in this manual. If there is any discrepancy, the downloaded key should not be used.(9)
Assuming the fingerprint is correct, import the key onto a keyring named ‘gsl’, ready for actual use:
$ gpg --no-default-keyring --keyring gsl --import gpg.txt gpg: ~/.gnupg/gsl: keyring created gpg: key 64069D5C: public key imported gpg: Total number processed: 1 gpg: imported: 1
You can now check the source code. You need both the tar file,
e.g. ‘gsl-1.12.tar.gz’, and its signature file,
e.g. ‘gsl-1.12.tar.gz.sig’(10) from the ‘gnu/gsl’ directory on
gpgv command is used to verify the file,
$ gpgv --keyring gsl gsl-1.12.tar.gz.sig gpgv: Signature made Mon 15 Dec 2008 18:26:47 GMT using DSA key ID 64069D5C gpgv: Good signature from "Brian Gough <firstname.lastname@example.org>"
If you see the message
Good signature you can be
confident that the file has not been tampered with (assuming the fingerprint
displayed earlier matches the one printed in this manual).
|ISBN 0954612078||GNU Scientific Library Reference Manual - Third Edition (v1.12)||See the print edition|