From: Perry E. <nh...@gm...> - 2015-10-11 13:17:28
|
Hello All - I need to update my s3tools package from an old version, went to Sourceforge, and noticed the .asc signature file with the newest version, downloaded them, but I don't see instructions how to use the signature file to verify the package. Am I missing something, like the right set of instructions? Thanks very much Perry Engle |
From: Matt D. <ma...@do...> - 2015-10-11 15:19:57
|
I did the release and it is signed with my key. Download both the .tar.gz and .tar.gz asc files to the same directory. Then to verify the results, the commands are: gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 92F0FC09 gpg -v s3cmd-1.6.0.tar.gz.asc It will then report a good signature. > gpg: armor header: Version: GnuPG v1 > gpg: assuming signed data in `s3cmd-1.6.0.tar.gz' > gpg: Signature made Fri 18 Sep 2015 09:03:40 AM CDT using RSA key ID > D1E3393D > gpg: using subkey D1E3393D instead of primary key 92F0FC09 > gpg: using PGP trust model > gpg: Good signature from "Matt Domsch <ma...@do...>" > gpg: aka "Matt Domsch <Mat...@de...>" > gpg: aka "Matt Domsch <md...@al...>" > gpg: aka "Matt Domsch <Mat...@al...>" > gpg: aka "[jpeg image of size 5004]" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 17A4 17D0 81F5 4B5F DB1C AEF8 21AB EEF7 92F0 FC09 > Subkey fingerprint: 51CD D511 63A4 F939 3035 73BF DED9 FB9C D1E3 393D > gpg: binary signature, digest algorithm SHA256 The WARNING bit will be seen unless you have personally established a chain of trust to my key. I've got only 212 signatures on my key, so it's likely we won't be directly connected, but my key is trusted by keys in the "strong set", so hopefully you'll have a path through there to trust my signature. On Oct 11, 2015 8:19 AM, "Perry Engle" <nh...@gm...> wrote: > Hello All - > > I need to update my s3tools package from an old version, went to > Sourceforge, and noticed the .asc signature file with the newest > version, downloaded them, but I don't see instructions how to use the > signature file to verify the package. > > Am I missing something, like the right set of instructions? > > Thanks very much > Perry Engle > > > ------------------------------------------------------------------------------ > _______________________________________________ > S3tools-general mailing list > S3t...@li... > https://lists.sourceforge.net/lists/listinfo/s3tools-general > > |
From: Perry E. <nh...@gm...> - 2015-10-12 23:35:59
|
Thanks Matt - It works fine. Now I have a bunch more commands to learn. Perry On 10/11/2015 11:19 AM, Matt Domsch wrote: > > I did the release and it is signed with my key. > > Download both the .tar.gz and .tar.gz asc files to the same directory. > Then to verify the results, the commands are: > > gpg --keyserver hkps.pool.sks-keyservers.net > <http://hkps.pool.sks-keyservers.net> --recv-keys 92F0FC09 > > gpg -v s3cmd-1.6.0.tar.gz.asc > > It will then report a good signature. > > gpg: armor header: Version: GnuPG v1 > gpg: assuming signed data in `s3cmd-1.6.0.tar.gz' > gpg: Signature made Fri 18 Sep 2015 09:03:40 AM CDT using RSA key > ID D1E3393D > gpg: using subkey D1E3393D instead of primary key 92F0FC09 > gpg: using PGP trust model > gpg: Good signature from "Matt Domsch <ma...@do... > <mailto:ma...@do...>>" > gpg: aka "Matt Domsch <Mat...@de... > <mailto:Mat...@de...>>" > gpg: aka "Matt Domsch <md...@al... > <mailto:md...@al...>>" > gpg: aka "Matt Domsch > <Mat...@al... > <mailto:Mat...@al...>>" > gpg: aka "[jpeg image of size 5004]" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to > the owner. > Primary key fingerprint: 17A4 17D0 81F5 4B5F DB1C AEF8 21AB EEF7 > 92F0 FC09 > Subkey fingerprint: 51CD D511 63A4 F939 3035 73BF DED9 FB9C > D1E3 393D > gpg: binary signature, digest algorithm SHA256 > > > The WARNING bit will be seen unless you have personally established a > chain of trust to my key. I've got only 212 signatures on my key, so > it's likely we won't be directly connected, but my key is trusted by > keys in the "strong set", so hopefully you'll have a path through > there to trust my signature. > > > > On Oct 11, 2015 8:19 AM, "Perry Engle" <nh...@gm... > <mailto:nh...@gm...>> wrote: > > Hello All - > > I need to update my s3tools package from an old version, went to > Sourceforge, and noticed the .asc signature file with the newest > version, downloaded them, but I don't see instructions how to use the > signature file to verify the package. > > Am I missing something, like the right set of instructions? > > Thanks very much > Perry Engle > > ------------------------------------------------------------------------------ > _______________________________________________ > S3tools-general mailing list > S3t...@li... > <mailto:S3t...@li...> > https://lists.sourceforge.net/lists/listinfo/s3tools-general > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > S3tools-general mailing list > S3t...@li... > https://lists.sourceforge.net/lists/listinfo/s3tools-general |