I am very new to linux platform and I want to extract gnutls for ubuntu. If I do,
$ls
then, it will show these files below.
gnutls-3.2.1.tar.lz
gnutls-3.2.1.tar.lz.sig
gnutls-3.2.1.tar.xz
gnutls-3.2.1.tar.xz.sig
When I give command,
$ tar -xvf gnutls-3.2.1.tar.xz
I get output,
tar: xz: Cannot exec: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Exiting with failure status due to previous errors
I want to extract these files.
gpgv <filename>.sig
command, it says public key is not found.Why there are two types of formats given? - xz and lz
Only for convenience, so that people can download the one for which they have appropriate tools available/installed. Remember that most 'linux' libraries are intended for use on other unix-like platforms also (e.g. the BSDs, Solaris, AIX, OSX even). It cannot be assumed that more recent tools like xz are readily available in every platform.
I need a separate utility package?
Yes, the error message from tar is telling you that it cannot find the xz command:
tar: xz: Cannot exec: No such file or directory
You identified correctly the package to install, xz-utils
. If you tried to extract the .lz archive, it would comlain that it cannot find lzip
instead (and you would install the lzip package).
There's not much difference, lzip is the older LZMA standard, xz is the newer LZMA2. The label 'beta' is always subjective. In this context I would not worry!
Why there are signature files?
So that people can be sure the archive they downloaded was published by the person they expect. It is to guard against the possibility that a hacker could gain access to the site (or a mirror) then add some malicious code to the sources in the archive.
How to verify it?
You got that command fine, but what you need to understand is that you have to tell GnuPG which keys you trust. Typically, you would take the public key (usually .asc or .txt) files published by the author(s) and import them to your gpg keyring. On the GnuTLS downloads page:
All the releases are signed with Nikos' or Simon's OpenPGP key.
So you could do something like:
wget -O- http://josefsson.org/key.txt | gpg --import
wget -O- http://members.hellug.gr/nmav/pgpkeys.asc | gpg --import
Another way is when people publish only their RSA Key ID, which can be imported from commonly known gpg keyservers. For example, you could import my public key like this:
gpg --recv-key 15C4D63E
For most default gpg configurations, that should obtain the specified key from a public keyserver (probably keys.gnupg.net).
Afterwards, gpg should report a 'good signature' from either of those authors, but expect it still to show a warning:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
This just means that there exists no chain of trust (based on the keys you have marked as trusted in your keyring) to say that this is the correct key for the named person. It could be the key of a hacker instead.
At some point you have to be confident that the key you obtain came from the right person, but exactly what to trust and when is something for each person to research and decide for themselves, based on your own level of paranoia, or current purposes.
Personally, I do not bother to verify source archives unless I am planning to redistribute something built from them.