On Sun, Sep 17, 2017 at 07:59:25AM -0600, Paul Gilmartin wrote: > On 2017-09-16, at 13:54, Thomas Dickey wrote: > > > ----- Original Message ----- > > | From: "L. Blake Wilson" > > | Sent: Saturday, September 16, 2017 3:31:50 PM > > | > > | It appears that the tarballs for 2.8.8 rel. 2 have been corrupted. > > > > I don't see that (where are you looking?) > > > Intrigued by this, I thought to verify a signature, but: > > 619 $ curl > https://invisible-mirror.net/archives/lynx/tarballs/lynx2.8.8rel.2.tar.gz.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (FreeBSD) > Comment: See http://lynx.isc.org/signatures.html for info
hmm - I hadn't thought of that detail when I moved the site. I have the private key, of course. Usually I use a script that handles the nuances of the command-line (which I wrote in 2005, but rewrote in June to make it simpler to check whole directory-tree). Like this: ok lynx2.8.8rel.1.tar.Z ok lynx2.8.8rel.1.tar.Z.asc ok lynx2.8.8rel.1.tar.bz2 ok lynx2.8.8rel.1.tar.bz2.asc ok lynx2.8.8rel.1.tar.gz ok lynx2.8.8rel.1.tar.gz.asc ok lynx2.8.8rel.1.zip ok lynx2.8.8rel.1.zip.asc ok lynx2.8.8rel.2.tar.Z ok lynx2.8.8rel.2.tar.Z.asc ok lynx2.8.8rel.2.tar.bz2 ok lynx2.8.8rel.2.tar.bz2.asc ok lynx2.8.8rel.2.tar.gz ok lynx2.8.8rel.2.tar.gz.asc ok lynx2.8.8rel.2.zip ok lynx2.8.8rel.2.zip.asc 16 files, 8 signed, 8 signatures (0 unsigned) or this (for example): gpg: Signature made Sun 09 Mar 2014 08:07:21 PM EDT using DSA key ID 688E31A6 gpg: Good signature from "Thomas Dickey (originally [email protected]) <[email protected]>" ok lynx2.8.8rel.2.tar.Z gpg: Signature made Sun 09 Mar 2014 08:07:21 PM EDT using DSA key ID 688E31A6 gpg: Good signature from "Thomas Dickey (originally [email protected]) <[email protected]>" ok lynx2.8.8rel.2.tar.Z.asc gpg: Signature made Sun 09 Mar 2014 08:07:25 PM EDT using DSA key ID 688E31A6 gpg: Good signature from "Thomas Dickey (originally [email protected]) <[email protected]>" ok lynx2.8.8rel.2.tar.bz2 > iEYEABECAAYFAlMdAkEACgkQXd+Pt2iOMaaB1gCg4TmKYtkoZ43EgLbdKohA9U6D > r7QAoN11QXq2KmLcZCtZHg4NsLaH9hws > =zD+J > -----END PGP SIGNATURE----- > > Ah! there seem to be instructions. So I try: > > 620 $ curl http://lynx.isc.org/signatures.html > curl: (6) Could not resolve host: lynx.isc.org > > Dead link? no - there was a DNS redirect(?) for a while which we stopped earlier this year because it had outlived its usefulness. For my purposes it's helpful to know when I originally signed the file. Packagers generally have made a hash for the original archive, so they haven't been pointing this out as a problem :-) -- Thomas E. Dickey <[email protected]> http://invisible-island.net ftp://ftp.invisible-island.net
signature.asc
Description: Digital signature
_______________________________________________ Lynx-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lynx-dev
