GnuPG packages in a TeX Live repository

This repository and its contained programs are not part of TeX Live, nor are they affiliated with the TeX Users Group (TUG) or any other TeX user group.

To ease adoption of verification, this repository provides a TeX Live package tlgpg that ships GnuPG binaries for Windows and MacOS (universal and x86_64). It is hosted as part of texlive.info.

Starting with the TeX Live 2016 release, TeX Live provides facilities to verify authenticity of the TeX Live database using cryptographic signatures. For this to work, a working GnuPG program needs to be available; either gpg (version 1) or gpg2 (version 2).

GnuPG (GNU Privacy Guard)'s own web site is gnupg.org; it provides distributions in both source and binary form and plenty of documentations.

Usage

If you are not running Windows or MacOS, there is no need to read this page and/or to install tlgpg. Please install GnuPG over the usual channels of your distribution.

For Windows or MacOS users, there are two options: (i) do a one-time installation of the tlgpg package; or (ii) add the tlgpg repository to the list of local repositories and install gpg for the sake of possible future updates.

One-time installation

This is the simplest case and suffices to install the necessary packages for verification:

  tlmgr --repository http://www.preining.info/tlgpg/ install tlgpg

Or add tlgpg as repository

Alternatively, tlmgr can handle several repositories at the same time, and this method guarantees that future updates to a package installed from a secondary repository are also installed.

There are three steps involved:

  1. Tell tlmgr about the new repository:
      tlmgr repository add http://www.preining.info/tlgpg/ mytlgpg
    
    That final word mytlgpg is a free-form tag (one word) that will be used later. It can be anything reasonable.

  2. Tell tlmgr that you want to install tlgpg from this repository (the "quotes" are to protect against possible shell expansion):
      tlmgr pinning add mytlgpg "tlgpg*"
    
  3. Install the tlgpg package:
      tlmgr install tlgpg
    
    You should then see a message that tlgpg has been installed.

How to check verification status?

tlmgr will report the currently used repository at the beginning of each run. After this there is either (verified) or (not verified) from which you can tell whether the repository was checked against a signature.

Signing key

TeX Live ISO images as well as the TeX Live database files have their checksum files (sha512) signed with the TeX Live release key (0x4CE1877E19438C70 is the signing subkey of the pubkey 0x0D5E5D9106BAB6BC). Import this key if you want to verify the releases. Mind that this key has only limited validity and we extend it once a year, meaning you have to update the key when it is expired.

Sources

The sources of the programs are available here.

Questions, comments

Please contact me by email.


Copyright 2016-2019 Norbert Preining