I downloaded all of the release files based on URLs from the release
announcement. I checked and none of the reported "missing" files were
missing.
It is great that the release files are GPG-signed. Given that one trusts
the signing key, the files can be proven to be signed by Even Rouault.
For example:
~/src% gpg --verify tiff-4.7.1.tar.gz.sig tiff-4.7.1.tar.gz
gpg: Signature made Fri 12 Sep 2025 06:25:02 AM CDT
gpg: using RSA key B1FA7D81EEB8E66399178B9733EBBFC47B3DD87D
gpg: Can't check signature: No public key
s~/src% gpg --recv-keys B1FA7D81EEB8E66399178B9733EBBFC47B3DD87D
gpg: key 33EBBFC47B3DD87D: public key "Even Rouault
<[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
~/src% gpg --verify tiff-4.7.1.tar.gz.sig tiff-4.7.1.tar.gz
gpg: Signature made Fri 12 Sep 2025 06:25:02 AM CDT
gpg: using RSA key B1FA7D81EEB8E66399178B9733EBBFC47B3DD87D
gpg: Good signature from "Even Rouault <[email protected]>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: B1FA 7D81 EEB8 E663 9917 8B97 33EB BFC4 7B3D D87D
~/src% gpg --verify tiff-4.7.1.zip.sig tiff-4.7.1.zip
gpg: Signature made Fri 12 Sep 2025 06:25:03 AM CDT
gpg: using RSA key B1FA7D81EEB8E66399178B9733EBBFC47B3DD87D
gpg: Good signature from "Even Rouault <[email protected]>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: B1FA 7D81 EEB8 E663 9917 8B97 33EB BFC4 7B3D D87D
While it is true that Even's signing key was not signed by a trusted
party who knows him, and met him (to prove it is him), and I used a
public key server to retrieve the key, the GPG verification does prove
that the release archive files were not modified, and were signed using
Even's PGP key (from the key server).
This is the type of verification that people who download libtiff source
archives should be performing (if possible) to assure that the
downloaded files are from a trusted party, and have not been modified.
Bob
On 10/6/25 02:31, Gayathri Venkat via Tiff wrote:
Hello Team,
I am Gayathri, a developer at MathWorks. I believe in past you have
worked with some of the MathWorks developers.
We are in the process of upgrading libtiff from version 4.7.0 to
4.7.1. I have noticed that the Makefile.in and configure files, which
were present in the tiff-4.7.0.tar.gz archive, are no longer included
in the tiff-4.7.1.tar.gz and .zip archives. However, these files are
still present in the tiff-4.7.1.tar.xz package.
Could you please confirm whether the Makefile.in and configure files
have been intentionally removed in the latest release?
Regards,
Gayathri
Get Outlook for iOS <https://aka.ms/o0ukef>
_______________________________________________
Tiff mailing list
[email protected]
https://lists.osgeo.org/mailman/listinfo/tiff
_______________________________________________
Tiff mailing list
[email protected]
https://lists.osgeo.org/mailman/listinfo/tiff
