www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.learn - dmd download sig file, how do I use it

reply Ali <fakeemailadress example.com> writes:
Hi All,

The DMD download is accompanied with a sig file
How exactly do I use this sig file
I am assuming I can use it in place of checksum to verify the 
download

And to be honest, I have almost zero knowledge for gpg and 
encryption
I googled a little but, didnt exactly find what I was hoping to 
find

I tried the following command
 gpg --verify dmd_2.079.0-0_amd64.deb.sig dmd_2.079.0-0_amd64.deb
which returns gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST gpg: using RSA key B273811612BB1939 gpg: Can't check signature: No public key I guess this means, the file is not verified So how can I do a complete verification? I also downloaded the keryring file, from link in the download page but also couldnt figure out how to use it Any explanation of how this gpg sig key works and how to use it to verify the download would be appreciated thanks
Mar 24 2018
parent reply Seb <seb wilzba.ch> writes:
On Sunday, 25 March 2018 at 03:17:51 UTC, Ali wrote:
 Hi All,

 The DMD download is accompanied with a sig file
 How exactly do I use this sig file
 I am assuming I can use it in place of checksum to verify the 
 download

 And to be honest, I have almost zero knowledge for gpg and 
 encryption
 I googled a little but, didnt exactly find what I was hoping to 
 find

 I tried the following command
 gpg --verify dmd_2.079.0-0_amd64.deb.sig 
 dmd_2.079.0-0_amd64.deb
which returns gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST gpg: using RSA key B273811612BB1939 gpg: Can't check signature: No public key I guess this means, the file is not verified So how can I do a complete verification? I also downloaded the keryring file, from link in the download page but also couldnt figure out how to use it Any explanation of how this gpg sig key works and how to use it to verify the download would be appreciated thanks
The official install script takes care of this automatically: https://dlang.org/install.html If you want to do this manually, you need to grab the D keyring from here: https://dlang.org/gpg_keys.html And here's how you would verify the signature automatically like e.g. gpg --verify --keyring ~/dlang/d-keyring.gpg --no-default-keyring dmd.2.079.0.linux.tar.xz.sig dmd.2.079.0.linux.tar.xz It's also possible to permanently add this keyring to your installation with e.g. gpg --import ~/dlang/d-keyring.gpg (Note: the individual keys in the keyring are currently expired and we are working on rolling out a new keyring, but that doesn't affect yverifying the existing signatures.)
Mar 24 2018
parent reply Ali <fakeemailadress example.com> writes:
On Sunday, 25 March 2018 at 04:01:28 UTC, Seb wrote:
 gpg --verify --keyring ~/dlang/d-keyring.gpg 
 --no-default-keyring dmd.2.079.0.linux.tar.xz.sig 
 dmd.2.079.0.linux.tar.xz
Thanks, I guess this kinda works I am now getting gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST gpg: using RSA key B273811612BB1939 gpg: Good signature from "Martin Nowak <martin.nowak plugintheworld.com>" [expired] gpg: aka "Martin Nowak (dawg) <me dawg.eu>" [expired] gpg: aka "Martin Nowak <code dawg.eu>" [expired] gpg: Note: This key has expired! Primary key fingerprint: AFC7 DB45 693D 62BB 472B F27B AB8F E924 C2F7 E724 Subkey fingerprint: A734 4DAD 3C34 1EA1 2D13 C4E6 B273 8116 12BB 1939 The command is a bit tricky, originally i kept trying the command with only the keyring file name, which didnt work, it needed the path
 (Note: the individual keys in the keyring are currently expired 
 and we are working on rolling out a new keyring, but that 
 doesn't affect yverifying the existing signatures.)
while you are at it, also add a sha1 or a sh256 checksum, i think it will work better to verify the download
Mar 25 2018
parent Seb <seb wilzba.ch> writes:
On Sunday, 25 March 2018 at 14:13:41 UTC, Ali wrote:
 (Note: the individual keys in the keyring are currently 
 expired and we are working on rolling out a new keyring, but 
 that doesn't affect yverifying the existing signatures.)
while you are at it, also add a sha1 or a sh256 checksum, i think it will work better to verify the download
Sha1 or sha256 can't be verified automatically, because it requires you to download the checksum from the same source. They can be used if you have checked the authenticity in another way, but if dlang.org is compromised the attacker would also change the checksums, but he can't change your local, verified keyring. For this reason, it's common for Linux distro to sign their packages: https://wiki.archlinux.org/index.php/Pacman/Package_signing https://wiki.debian.org/SecureApt
Mar 25 2018