On Aug 19, 2023, at 20:18, cage <cage-dev@twistfold.it> wrote:

Hi!

Sorry if this question sounds trivial (likely it is) but how can I verify the packages downloaded on the ABCL website?

I am able to download the signature file (*.asc) but I do not know how to find the public key to match the signature.

---------------- $ gpg --verify abcl-bin-1.9.2.tar.gz.asc gpg: assuming signed data in 'abcl-bin-1.9.2.tar.gz' gpg: Signature made Wed Jun 21 10:01:48 2023 CEST gpg: using DSA key 5491D207FF9ECDE0BEA277772A9641104DB1773D [...] gpg: Can't check signature: No public key ---------------- ^^^^^^^^^^^^^

[I responded to you in #abcl, but you didn’t return to read the memo]. Most (all) ABCL releases have been signed with my personal key associated with <evenson.not.org@gmail.com>. This key was listed in the HKP databases ("openpgp.mit.edu"?), but I guess they got taken down after the poisoning attack (3-4 years ago?). The key now seems to be listed with keys.openpgp.org <http://keys.openpgp.org/>. Is that enough for you to trust the key, or would you like me to make some sort of cryptographic commitment that this is my key? [0]: <https://irclog.tymoon.eu/libera/%23abcl?around=1692513899#1692513899> [1]: <https://keys.openpgp.org/vks/v1/by-fingerprint/5491D207FF9ECDE0BEA277772A9641104DB1773D> yours in CONS, Mark <evenson.not.org@gmail.com <mailto:evenson.not.org@gmail.com>> -- "A screaming comes across the sky. It has happened before but there is nothing to compare to it now."