digitalmars.D.learn - dmd download sig file, how do I use it
Hi All, The DMD download is accompanied with a sig file How exactly do I use this sig file I am assuming I can use it in place of checksum to verify the download And to be honest, I have almost zero knowledge for gpg and encryption I googled a little but, didnt exactly find what I was hoping to find I tried the following commandgpg --verify dmd_2.079.0-0_amd64.deb.sig dmd_2.079.0-0_amd64.debwhich returns gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST gpg: using RSA key B273811612BB1939 gpg: Can't check signature: No public key I guess this means, the file is not verified So how can I do a complete verification? I also downloaded the keryring file, from link in the download page but also couldnt figure out how to use it Any explanation of how this gpg sig key works and how to use it to verify the download would be appreciated thanks
Mar 24 2018
On Sunday, 25 March 2018 at 03:17:51 UTC, Ali wrote:Hi All, The DMD download is accompanied with a sig file How exactly do I use this sig file I am assuming I can use it in place of checksum to verify the download And to be honest, I have almost zero knowledge for gpg and encryption I googled a little but, didnt exactly find what I was hoping to find I tried the following commandThe official install script takes care of this automatically: https://dlang.org/install.html If you want to do this manually, you need to grab the D keyring from here: https://dlang.org/gpg_keys.html And here's how you would verify the signature automatically like e.g. gpg --verify --keyring ~/dlang/d-keyring.gpg --no-default-keyring dmd.2.079.0.linux.tar.xz.sig dmd.2.079.0.linux.tar.xz It's also possible to permanently add this keyring to your installation with e.g. gpg --import ~/dlang/d-keyring.gpg (Note: the individual keys in the keyring are currently expired and we are working on rolling out a new keyring, but that doesn't affect yverifying the existing signatures.)gpg --verify dmd_2.079.0-0_amd64.deb.sig dmd_2.079.0-0_amd64.debwhich returns gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST gpg: using RSA key B273811612BB1939 gpg: Can't check signature: No public key I guess this means, the file is not verified So how can I do a complete verification? I also downloaded the keryring file, from link in the download page but also couldnt figure out how to use it Any explanation of how this gpg sig key works and how to use it to verify the download would be appreciated thanks
Mar 24 2018
On Sunday, 25 March 2018 at 04:01:28 UTC, Seb wrote:gpg --verify --keyring ~/dlang/d-keyring.gpg --no-default-keyring dmd.2.079.0.linux.tar.xz.sig dmd.2.079.0.linux.tar.xzThanks, I guess this kinda works I am now getting gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST gpg: using RSA key B273811612BB1939 gpg: Good signature from "Martin Nowak <martin.nowak plugintheworld.com>" [expired] gpg: aka "Martin Nowak (dawg) <me dawg.eu>" [expired] gpg: aka "Martin Nowak <code dawg.eu>" [expired] gpg: Note: This key has expired! Primary key fingerprint: AFC7 DB45 693D 62BB 472B F27B AB8F E924 C2F7 E724 Subkey fingerprint: A734 4DAD 3C34 1EA1 2D13 C4E6 B273 8116 12BB 1939 The command is a bit tricky, originally i kept trying the command with only the keyring file name, which didnt work, it needed the path(Note: the individual keys in the keyring are currently expired and we are working on rolling out a new keyring, but that doesn't affect yverifying the existing signatures.)while you are at it, also add a sha1 or a sh256 checksum, i think it will work better to verify the download
Mar 25 2018
On Sunday, 25 March 2018 at 14:13:41 UTC, Ali wrote:Sha1 or sha256 can't be verified automatically, because it requires you to download the checksum from the same source. They can be used if you have checked the authenticity in another way, but if dlang.org is compromised the attacker would also change the checksums, but he can't change your local, verified keyring. For this reason, it's common for Linux distro to sign their packages: https://wiki.archlinux.org/index.php/Pacman/Package_signing https://wiki.debian.org/SecureApt(Note: the individual keys in the keyring are currently expired and we are working on rolling out a new keyring, but that doesn't affect yverifying the existing signatures.)while you are at it, also add a sha1 or a sh256 checksum, i think it will work better to verify the download
Mar 25 2018