Re: Need help with PGP signature verification

[debian-user@howorth.org.uk]

"Thomas Schmitt" <scdbackup@gmx.net> wrote:
> Hi,
> 
> Tom Browder wrote:
> > I'm willing to trust published PGP key fingerprints for signers of
> > Rakudo downloadable files.  
> 
> Do i get it right that you talk about https://rakudo.org/downloads ?
> 
> > Question:  How can I get the fingerprint from the downloads? 
> > The products I download are (1) the file of interest, (2) a PGP
> > signed checksums file with various shaX hashes for the file, and
> > (3) a separate file containing a PGP signature.  
> 
> The "Verify" button at above web page leads to
>   https://rakudo.org/downloads/verifying
> which explains how to use sha256 and gpg2 for verification.
> Most importantly it lists the fingerprints of the four "Keys of the
> releasers". If gpg2 --verify reports any other fingerprint, then
> the .asc file cannot be trusted.
> 
> (It is not overly trustworthy that fingerprints and the signed files
> are offered on the same web site. Once the site is compromised, both
> can be manipulated by the attacker.)

That's why the page suggests that the developers' also list their
fingerprints on their github pages, I suspect. Which they do.