X-Recipient:	archive-cygwin AT delorie DOT com
X-Spam-Check-By:	sourceware.org
Message-ID:	<dd5f2deb0808072151y69ff3b9eyd0fc3febecb9e715@mail.gmail.com>
Date:	Fri, 8 Aug 2008 00:51:15 -0400
From:	Lee <ler762 AT gmail DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: Setup version
In-Reply-To:	<489B96BC.1060202@alice.it>
MIME-Version:	1.0
References:	<489B96BC DOT 1060202 AT alice DOT it>
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Unsubscribe:	<mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

On 8/7/08, Angelo Graziosi <angelo DOT graziosi AT alice DOT it> wrote:
> Dave Korn wrote:
>
>> Also, we're going to add a link to the setup.exe gpg .sig file on the main
>> page; then the simple rule will be "If it has a gpg signature, it's the
>> new
>> version".
>
> The main page now says:
>
> "The signature for setup.exe can be used to verify the validity of this
> binary using this public key."
>
> Since I am new to these things, my simple question is: How?

Hopefully someone that knows will chime in - I suspect all I'm doing
is verifying that the file wasn't corrupted in the download :(

$gpg   --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify cygwinSetup.exe.sig
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Mon Aug  4 19:40:02 2008 EDT using DSA key ID 676041BA
gpg: requesting key 676041BA from hkp server pgpkeys.pca.dfn.de
gpg: key 676041BA: public key "Cygwin <cygwin AT cygwin DOT com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA


It's late, so I'm not going to try to figure out how to import the
public key they give the link to.      It seems a bit pointless
anyway..  if someone is able to change the setup.exe offered for
downloading I don't see why they couldn't also change the public key
you download off the same page.

Regards,
Lee


>
> I have tried (after the download of .sig, .asc and .exe files):
>
> $ gpg --verify setup.exe.sig setup.exe
> gpg: WARNING: using insecure memory!
> gpg: please see http://www.gnupg.org/faq.html for more information
> gpg: Signature made [...]
> gpg: Can't check signature: public key not found
>
>
> TIA,
>     Angelo.
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>
>

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -