Thread overview |
---|
March 25, 2018 dmd download sig file, how do I use it | ||||
---|---|---|---|---|
| ||||
Hi All,
The DMD download is accompanied with a sig file
How exactly do I use this sig file
I am assuming I can use it in place of checksum to verify the download
And to be honest, I have almost zero knowledge for gpg and encryption
I googled a little but, didnt exactly find what I was hoping to find
I tried the following command
> gpg --verify dmd_2.079.0-0_amd64.deb.sig dmd_2.079.0-0_amd64.deb
which returns
gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST
gpg: using RSA key B273811612BB1939
gpg: Can't check signature: No public key
I guess this means, the file is not verified
So how can I do a complete verification?
I also downloaded the keryring file, from link in the download page
but also couldnt figure out how to use it
Any explanation of how this gpg sig key works and how to use it to verify the download
would be appreciated
thanks
|
March 25, 2018 Re: dmd download sig file, how do I use it | ||||
---|---|---|---|---|
| ||||
Posted in reply to Ali | On Sunday, 25 March 2018 at 03:17:51 UTC, Ali wrote: > Hi All, > > The DMD download is accompanied with a sig file > How exactly do I use this sig file > I am assuming I can use it in place of checksum to verify the download > > And to be honest, I have almost zero knowledge for gpg and encryption > I googled a little but, didnt exactly find what I was hoping to find > > I tried the following command >> gpg --verify dmd_2.079.0-0_amd64.deb.sig dmd_2.079.0-0_amd64.deb > > which returns > > gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST > gpg: using RSA key B273811612BB1939 > gpg: Can't check signature: No public key > > > I guess this means, the file is not verified > So how can I do a complete verification? > > I also downloaded the keryring file, from link in the download page > but also couldnt figure out how to use it > > Any explanation of how this gpg sig key works and how to use it to verify the download > would be appreciated > > thanks The official install script takes care of this automatically: https://dlang.org/install.html If you want to do this manually, you need to grab the D keyring from here: https://dlang.org/gpg_keys.html And here's how you would verify the signature automatically like e.g. gpg --verify --keyring ~/dlang/d-keyring.gpg --no-default-keyring dmd.2.079.0.linux.tar.xz.sig dmd.2.079.0.linux.tar.xz It's also possible to permanently add this keyring to your installation with e.g. gpg --import ~/dlang/d-keyring.gpg (Note: the individual keys in the keyring are currently expired and we are working on rolling out a new keyring, but that doesn't affect yverifying the existing signatures.) |
March 25, 2018 Re: dmd download sig file, how do I use it | ||||
---|---|---|---|---|
| ||||
Posted in reply to Seb | On Sunday, 25 March 2018 at 04:01:28 UTC, Seb wrote: > gpg --verify --keyring ~/dlang/d-keyring.gpg --no-default-keyring dmd.2.079.0.linux.tar.xz.sig dmd.2.079.0.linux.tar.xz Thanks, I guess this kinda works I am now getting gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST gpg: using RSA key B273811612BB1939 gpg: Good signature from "Martin Nowak <martin.nowak@plugintheworld.com>" [expired] gpg: aka "Martin Nowak (dawg) <me@dawg.eu>" [expired] gpg: aka "Martin Nowak <code@dawg.eu>" [expired] gpg: Note: This key has expired! Primary key fingerprint: AFC7 DB45 693D 62BB 472B F27B AB8F E924 C2F7 E724 Subkey fingerprint: A734 4DAD 3C34 1EA1 2D13 C4E6 B273 8116 12BB 1939 The command is a bit tricky, originally i kept trying the command with only the keyring file name, which didnt work, it needed the path > (Note: the individual keys in the keyring are currently expired and we are working on rolling out a new keyring, but that doesn't affect yverifying the existing signatures.) while you are at it, also add a sha1 or a sh256 checksum, i think it will work better to verify the download |
March 25, 2018 Re: dmd download sig file, how do I use it | ||||
---|---|---|---|---|
| ||||
Posted in reply to Ali | On Sunday, 25 March 2018 at 14:13:41 UTC, Ali wrote: >> (Note: the individual keys in the keyring are currently expired and we are working on rolling out a new keyring, but that doesn't affect yverifying the existing signatures.) > > while you are at it, also add a sha1 or a sh256 checksum, i think it will work better to verify the download Sha1 or sha256 can't be verified automatically, because it requires you to download the checksum from the same source. They can be used if you have checked the authenticity in another way, but if dlang.org is compromised the attacker would also change the checksums, but he can't change your local, verified keyring. For this reason, it's common for Linux distro to sign their packages: https://wiki.archlinux.org/index.php/Pacman/Package_signing https://wiki.debian.org/SecureApt |
Copyright © 1999-2021 by the D Language Foundation