[Geany-Devel] Geany-Plugins 2.0 are out!
Dear friends, users and developers of Geany! Geany-Plugins 2.0 are out! We are happy to announce a new version of the combined Geany-Plugins release -- following the Geany 2.0 release, Geany-Plugins 2.0 is being released, too. Some highlights: * Updated translations: de, es, pt, ua * Bookmarks: Prevent duplicating bookmarks when editing line * GeanyVC: Support the use of external diff-tool in directory context * ProjectOrganizer: Use system trash for file/folder removal * Add ability to open file manager and terminal * Restore tree state in the sidebar * Allow new file/folder in top level * Vimmode: Support word-related text object commands such as: "ciw", "diw", "viw" etc. A more complete list of changes can be found at NEWS at https://github.com/geany/geany-plugins/releases/tag/2.0.0. As usual, you can find source tarballs and Windows installer for the new release on https://plugins.geany.org. A huge thanks to everybody contributing to this great release. Happy Birthday, Geany! OpenPGP_signature.asc Description: OpenPGP digital signature ___ Devel mailing list -- devel@lists.geany.org To unsubscribe send an email to devel-le...@lists.geany.org
[Geany-Devel] Geany 2.0 has bad or missing signing keys
Hi, I always like to be able to download the pubkeys and signatures so I can verify the downloads before doing the installation. gpg2 gives me these diagnostics: geany-2.0.tar.bz2.sig Good signature from "Colomban Wendling " [expired] geany-2.0.tar.gz.sig Good signature from "Colomban Wendling " [expired] geany-2.0_setup.exe.sig Good signature from "Enrico Tröger " [unknown] and for geany-plugins-2.0.*.sig gpg: Signature made Oct 19, 2023 xx:xx:xx MDT gpg:using EDDSA key 23C0ACC6C2A22D6EB8A98563EC3A8C6CF6546888 gpg: requesting key EC3A8C6CF6546888 from hkp://pgp.surf.nl gpg: Can't check signature: No public key In summary, two expired keys were used to sign the geany 2.0 assets, and the public key required to verify the geany-plugins 2.0 assets does not seem to be available on the geany.org site. There are also no signatures for the .zip and .tar.gz files containing the source code for both geany and geany-plugins. With previous releases, I have also used the MD5SUM, and SHA*SUM files for additional verification. TIA Doug -- Doug Henderson, Calgary, Alberta, Canada - from gmail.com ___ Devel mailing list -- devel@lists.geany.org To unsubscribe send an email to devel-le...@lists.geany.org
[Geany-Devel] Re: Geany 2.0 has bad or missing signing keys
Hi, geany-2.0.tar.bz2.sig Good signature from "Colomban Wendling " [expired] geany-2.0.tar.gz.sig Good signature from "Colomban Wendling " [expired] The key itself is *not* expired only the export available on the website. It was just updated and should work now also with the exported key available from the website. Alternatively, you could use gpg --recv-keys ACA0246889FB96B63382111724CCD8550E5D1CAE to update the key from the keyserver. geany-2.0_setup.exe.sig Good signature from "Enrico Tröger " [unknown] The key used to create the signature is 51A0918FEF3439066BEB87F4579347E6C71A77FA and it is available at https://download.geany.org/eht16-pubkey.txt. and for geany-plugins-2.0.*.sig gpg: Signature made Oct 19, 2023 xx:xx:xx MDT gpg:using EDDSA key 23C0ACC6C2A22D6EB8A98563EC3A8C6CF6546888 gpg: requesting key EC3A8C6CF6546888 from hkp://pgp.surf.nl gpg: Can't check signature: No public key Will be fixed tomorrow. The key used can be imported from the keyserver using: gpg --recv-keys 23C0ACC6C2A22D6EB8A98563EC3A8C6CF6546888 There are also no signatures for the .zip and .tar.gz files containing the source code for both geany and geany-plugins. Those files are auto generated by Github, there is no point in signing them except Github would do. With previous releases, I have also used the MD5SUM, and SHA*SUM files for additional verification. The hashes have been added in the meantime. Regards, Enrico OpenPGP_signature Description: OpenPGP digital signature ___ Devel mailing list -- devel@lists.geany.org To unsubscribe send an email to devel-le...@lists.geany.org
[Geany-Devel] Re: Geany 2.0 has bad or missing signing keys
Hello, Le 19/10/2023 à 21:52, Doug Henderson via Devel a écrit : Hi, I always like to be able to download the pubkeys and signatures so I can verify the downloads before doing the installation. That's good! Although for actual security you should have a trusted path to the PGP key, just downloading everything from the same website is just gonna help verifying corruption during the transfer :) gpg2 gives me these diagnostics: geany-2.0.tar.bz2.sig Good signature from "Colomban Wendling " [expired] geany-2.0.tar.gz.sig Good signature from "Colomban Wendling " [expired] […] In summary, two expired keys were used to sign the geany 2.0 assets, Sorry, they key expiry was updated on keyservers, but not on geany.org. This should now be fixed. There are also no signatures for the .zip and .tar.gz files containing the source code for both geany and geany-plugins. You mean the ones labelled "source code" from GitHub Release page [1]? Those are automatically generated by GitHub and contain the Git state, I don't think we can sign that. However, they are generated from the Git tag, which is signed with the same key as the one that signed the release tarballs. [1] https://github.com/geany/geany/releases/tag/2.0.0 With previous releases, I have also used the MD5SUM, and SHA*SUM files for additional verification. This should also be available already, isn't it? Regards, Colomban ___ Devel mailing list -- devel@lists.geany.org To unsubscribe send an email to devel-le...@lists.geany.org
