Re: Need help with PGP signature verification

To: debian-user@lists.debian.org
Subject: Re: Need help with PGP signature verification
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Sun, 08 Oct 2023 09:00:44 +0200
Message-id: <[🔎] 14368294090912462896@scdbackup.webframe.org>
In-reply-to: <[🔎] CAFMGiz_86R-8=fCy18oedNRouUYosqfUREncDWR83txkb5Mu5Q@mail.gmail.com>
References: <[🔎] CAFMGiz_86R-8=fCy18oedNRouUYosqfUREncDWR83txkb5Mu5Q@mail.gmail.com>

Hi,

Tom Browder wrote:
> I'm willing to trust published PGP key fingerprints for signers of Rakudo
> downloadable files.

Do i get it right that you talk about https://rakudo.org/downloads ?

> Question:  How can I get the fingerprint from the downloads? 
> The products I download are (1) the file of interest, (2) a PGP signed
> checksums file with various shaX hashes for the file, and (3) a separate
> file containing a PGP signature.

The "Verify" button at above web page leads to
  https://rakudo.org/downloads/verifying
which explains how to use sha256 and gpg2 for verification.
Most importantly it lists the fingerprints of the four "Keys of the
releasers". If gpg2 --verify reports any other fingerprint, then the .asc
file cannot be trusted.

(It is not overly trustworthy that fingerprints and the signed files
are offered on the same web site. Once the site is compromised, both can
be manipulated by the attacker.)

Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: Need help with PGP signature verification
  - From: debian-user@howorth.org.uk

References:
- Need help with PGP signature verification
  - From: Tom Browder <tom.browder@gmail.com>

Prev by Date: Re: Does the debian kernel sends the gratuitous arp ?
Next by Date: Re: Understanding package dependencies
Previous by thread: Re: Need help with PGP signature verification
Next by thread: Re: Need help with PGP signature verification
Index(es):
- Date
- Thread