Hello,
Le 19/10/2023 à 21:52, Doug Henderson via Devel a écrit :
Hi,
I always like to be able to download the pubkeys and signatures so I
can verify the downloads before doing the installation.
That's good! Although for actual security you should have a trusted
path to the PGP key, just downloading everything from the same website
is just gonna help verifying corruption during the transfer :)
gpg2 gives me these diagnostics:
geany-2.0.tar.bz2.sig
Good signature from "Colomban Wendling <b...@ban.netlib.re>" [expired]
geany-2.0.tar.gz.sig
Good signature from "Colomban Wendling <b...@ban.netlib.re>" [expired]
[…]
In summary, two expired keys were used to sign the geany 2.0 assets,
Sorry, they key expiry was updated on keyservers, but not on geany.org.
This should now be fixed.
There are also no signatures for the .zip and .tar.gz files containing
the source code for both geany and geany-plugins.
You mean the ones labelled "source code" from GitHub Release page [1]?
Those are automatically generated by GitHub and contain the Git state, I
don't think we can sign that. However, they are generated from the Git
tag, which is signed with the same key as the one that signed the
release tarballs.
[1] https://github.com/geany/geany/releases/tag/2.0.0
With previous releases, I have also used the MD5SUM, and SHA*SUM
files for additional verification.
This should also be available already, isn't it?
Regards,
Colomban
_______________________________________________
Devel mailing list -- devel@lists.geany.org
To unsubscribe send an email to devel-le...@lists.geany.org
