On Aug 19, 2023, at 20:18, cage cage-dev@twistfold.it wrote:
Hi!
Sorry if this question sounds trivial (likely it is) but how can I verify the packages downloaded on the ABCL website?
I am able to download the signature file (*.asc) but I do not know how to find the public key to match the signature.
$ gpg --verify abcl-bin-1.9.2.tar.gz.asc gpg: assuming signed data in 'abcl-bin-1.9.2.tar.gz' gpg: Signature made Wed Jun 21 10:01:48 2023 CEST gpg: using DSA key 5491D207FF9ECDE0BEA277772A9641104DB1773D [...] gpg: Can't check signature: No public key ---------------- ^^^^^^^^^^^^^
[I responded to you in #abcl, but you didn’t return to read the memo].
Most (all) ABCL releases have been signed with my personal key associated with evenson.not.org@gmail.com. This key was listed in the HKP databases ("openpgp.mit.edu"?), but I guess they got taken down after the poisoning attack (3-4 years ago?). The key now seems to be listed with keys.openpgp.org http://keys.openpgp.org/. Is that enough for you to trust the key, or would you like me to make some sort of cryptographic commitment that this is my key?
[0]: https://irclog.tymoon.eu/libera/%23abcl?around=1692513899#1692513899
[1]: https://keys.openpgp.org/vks/v1/by-fingerprint/5491D207FF9ECDE0BEA277772A9641104DB1773D
yours in CONS, Mark <evenson.not.org@gmail.com mailto:evenson.not.org@gmail.com>
-- "A screaming comes across the sky. It has happened before but there is nothing to compare to it now."