This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Setup version

From: Lee <ler762 at gmail dot com>
To: cygwin at cygwin dot com
Date: Fri, 8 Aug 2008 00:51:15 -0400
Subject: Re: Setup version
References: <489B96BC.1060202@alice.it>

On 8/7/08, Angelo Graziosi <angelo.graziosi@alice.it> wrote:
> Dave Korn wrote:
>
>> Also, we're going to add a link to the setup.exe gpg .sig file on the main
>> page; then the simple rule will be "If it has a gpg signature, it's the
>> new
>> version".
>
> The main page now says:
>
> "The signature for setup.exe can be used to verify the validity of this
> binary using this public key."
>
> Since I am new to these things, my simple question is: How?

Hopefully someone that knows will chime in - I suspect all I'm doing
is verifying that the file wasn't corrupted in the download :(

$gpg   --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify cygwinSetup.exe.sig
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Mon Aug  4 19:40:02 2008 EDT using DSA key ID 676041BA
gpg: requesting key 676041BA from hkp server pgpkeys.pca.dfn.de
gpg: key 676041BA: public key "Cygwin <cygwin@cygwin.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

It's late, so I'm not going to try to figure out how to import the
public key they give the link to.      It seems a bit pointless
anyway..  if someone is able to change the setup.exe offered for
downloading I don't see why they couldn't also change the public key
you download off the same page.

Regards,
Lee

>
> I have tried (after the download of .sig, .asc and .exe files):
>
> $ gpg --verify setup.exe.sig setup.exe
> gpg: WARNING: using insecure memory!
> gpg: please see http://www.gnupg.org/faq.html for more information
> gpg: Signature made [...]
> gpg: Can't check signature: public key not found
>
>
> TIA,
>     Angelo.
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>
>

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- RE: Setup version
  - From: Dave Korn

References:
- Re: Setup version
  - From: Angelo Graziosi

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]