On Tuesday, 8 February 2022 at 10:17:19 UTC, Ola Fosheim Grøstad
wrote:
I don't use GPG often, so I probably did something wrong, and
failed to get a trusted verification. I do like the idea that a
hacker cannot change the signature file if gaining access to
the web/file hosts, but how to verify it in secure way?
I also did not find the key listed here:
https://dlang.org/download.html
there are two parts to this gpg output:
(1)
"Good signature.." - ok. you can be sure the file is correctly
signed.
(2)
"WARNING: This key is not certified with a trusted .." - ok. You
have not fully trusted the key, that's fine, and makes sense,
since you just downloaded the key, and the key itself might have
been tampered with .. in which case you have a good signature
from a fraudulent key.
On what basis would you trust the key? Think about it ;-)
btw. the key is listed there - not sure what you mean.
