GnuPG for TeX Live

This repository and its contained programs are not part of TeX Live, nor are they affiliated with the TeX Users Group (TUG) or any other TeX user group.

Starting with release 2016, TeX Live provides facilities to verify authenticity of the TeX Live database using cryptographic signatures. For this to work out, a working GnuPG program needs to be available. In particular, either gpg (version 1) or gpg2 (version 2).

To ease adoption of verification, this repository provides a TeX Live package tlgpg that ships GnuPG binaries for Windows and MacOS (universal and x86_64).

Usage

If you are not running Windows or MacOS, there is no need to read this page and/or install tlgpg. Please install GnuPG over the usual channels of your distribution (this might change in the future).

For Windows or MacOS users, there are two options: (i) do a one-time installation of the tlgpg package; or (ii) add the tlgpg to the list of local repositories and install gpg.

One-time installation

This is the most simple case and allows you to install necessary packages.
  tlmgr --repository http://www.preining.info/tlgpg/ install tlgpg

Add tlgpg as repository

tlmgr can handle several repositories at the same time, and this guarantees that future updates to a package installed from a secondary repository are also installed. As far as I know this is not supported by TLU on Mac.

There are three steps involved: (i) Tell tlmgr about the new repository:

  tlmgr repository add http://www.preining.info/tlgpg/ mytlgpg
The final mytlgpg is a free-form tag (one word) that will be used later. It can be anything reasonable.

(ii) Tell tlmgr that you want to install tlgpg from this repository:

  tlmgr pinning add mytlgpg "tlgpg*"
(the "quotes" are to protect against possible shell expansion)

(iii) Install tlgpg

  tlmgr install tlgpg
You should see a message that tlgpg has been installed.

How to check verification status?

tlmgr will report the currently used repository at the beginning of each run. After this there is either
 (verified)
or
 (not verified)
from which you can tell whether the repository was checked against a signature.

Sources

The sources of the programs are available here.

Questions, comments

Please send them to me by email.
(C) 2016 Norbert Preining