On Sunday, 25 March 2018 at 03:17:51 UTC, Ali wrote:
Hi All,
The DMD download is accompanied with a sig file
How exactly do I use this sig file
I am assuming I can use it in place of checksum to verify the
download
And to be honest, I have almost zero knowledge for gpg and
encryption
I googled a little but, didnt exactly find what I was hoping to
find
I tried the following command
gpg --verify dmd_2.079.0-0_amd64.deb.sig
dmd_2.079.0-0_amd64.deb
which returns
gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST
gpg: using RSA key B273811612BB1939
gpg: Can't check signature: No public key
I guess this means, the file is not verified
So how can I do a complete verification?
I also downloaded the keryring file, from link in the download
page
but also couldnt figure out how to use it
Any explanation of how this gpg sig key works and how to use it
to verify the download
would be appreciated
thanks
The official install script takes care of this automatically:
https://dlang.org/install.html
If you want to do this manually, you need to grab the D keyring
from here:
https://dlang.org/gpg_keys.html
And here's how you would verify the signature automatically like
e.g.
gpg --verify --keyring ~/dlang/d-keyring.gpg --no-default-keyring
dmd.2.079.0.linux.tar.xz.sig dmd.2.079.0.linux.tar.xz
It's also possible to permanently add this keyring to your
installation with e.g. gpg --import ~/dlang/d-keyring.gpg
(Note: the individual keys in the keyring are currently expired
and we are working on rolling out a new keyring, but that doesn't
affect yverifying the existing signatures.)
