-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday, 2024-04-10 at 21:18 -0000, ɯ u via Alpine-info wrote:
Hi, I'm a long-time Pine/Alpine user and just noticed I'm mentioned on
https://alpineapp.email/alpine/alpine-info/tips/ - thanks! :)
After many years of using an old Alpine, I'm in the midst of installing
Alpine 2.26 on one of my Windows devices. I downloaded alpine-2.26.zip
from here:
https://alpineapp.email/
I verified the checksum and now want to check the integrity with gpg,
but I need some help. I don't know much about gpg, but I was able to use
these instructions to verify the Mullvad Browser signature:
Verifying Mullvad Browser signature
https://mullvad.net/en/help/verifying-mullvad-browser-signature
After doing that, I thought OK, now I can kind of use these instructions
to verify alpine-2.26.zip. I downloaded Eduardo's GPG public key from:
https://alpineapp.email/alpine/gpg/alpine.cha...@yandex.com.gpg
But what do I do now? I'm thinking that I need a file named something
like alpine-2.26.zip.asc? I'd appreciate any help.
At that page you can read:
Source Code alpine-2.26.tar.xz
MD5: 0943b31c476276e924b02afbfaf98392
SHA256: c0779c2be6c47d30554854a3e14ef5e36539502b331068851329275898a9baba
GPG Signature: alpine-2.26.tar.xz.sig.
You can verify the "alpine-2.26.tar.xz" file with the signature
"alpine-2.26.tar.xz.sig" and Eduardo public key.
cer@Telcontar:~/tmp/alpine> gpg --verify alpine-2.26.tar.xz.sig
alpine-2.26.tar.xz
gpg: Signature made 2022-06-03T02:14:17 CEST
gpg: using RSA key 7BCC14640B206433AC2D511FBEB04EE9EA8259AD
gpg: Can't check signature: No public key
cer@Telcontar:~/tmp/alpine>
cer@Telcontar:~/tmp/alpine> wget
https://alpineapp.email/alpine/gpg/alpine.cha...@yandex.com.gpg
- --2024-04-11 03:01:56--
https://alpineapp.email/alpine/gpg/alpine.cha...@yandex.com.gpg
Resolving alpineapp.email (alpineapp.email)... 198.91.87.65
Connecting to alpineapp.email (alpineapp.email)|198.91.87.65|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3984 (3,9K) [application/x-msdownload]
Saving to: ‘alpine.cha...@yandex.com.gpg’
alpine.cha...@yandex.com.gpg
100%[=============================================>] 3,89K --.-KB/s in 0s
2024-04-11 03:01:57 (798 MB/s) - ‘alpine.cha...@yandex.com.gpg’ saved
[3984/3984]
cer@Telcontar:~/tmp/alpine> l
total 7364
drwxr-xr-x 2 cer users 98 Apr 11 03:01 ./
drwxr-xr-x 158 cer users 8192 Apr 11 02:58 ../
- -rw-r--r-- 1 cer users 7517628 Jun 3 2022 alpine-2.26.tar.xz
- -rw-r--r-- 1 cer users 566 Jun 3 2022 alpine-2.26.tar.xz.sig
- -rw-r--r-- 1 cer users 3984 Jun 15 2022 alpine.cha...@yandex.com.gpg
cer@Telcontar:~/tmp/alpine>
cer@Telcontar:~/tmp/alpine> gpg --import alpine.cha...@yandex.com.gpg
gpg: key BEB04EE9EA8259AD: "alpine.cha...@yandex.com" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
cer@Telcontar:~/tmp/alpine> gpg --verify alpine-2.26.tar.xz.sig
alpine-2.26.tar.xz
gpg: Signature made 2022-06-03T02:14:17 CEST
gpg: using RSA key 7BCC14640B206433AC2D511FBEB04EE9EA8259AD
gpg: Good signature from "alpine.cha...@yandex.com" [unknown]
gpg: aka "Eduardo Chappa <eduardo.cha...@outlook.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7BCC 1464 0B20 6433 AC2D 511F BEB0 4EE9 EA82 59AD
cer@Telcontar:~/tmp/alpine>
That's the procedure for verifying the sources (although there is a chain
of trust problem in what I did). You can not gpg verify the windows binary
because the signature is not published.
- --
Cheers,
Carlos E. R.
(from openSUSE 15.5 x86_64 at Telcontar)
-----BEGIN PGP SIGNATURE-----
iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZhc4tBwccm9iaW4ubGlz
dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVnuUAnj5hzEJnu2xAI4kFm7Hk
8J3lgb7MAJsEuhip3dQ3zLQM/S/YvYHlw8BMSw==
=39Gg
-----END PGP SIGNATURE-----_______________________________________________
Alpine-info mailing list
Alpine-info@u.washington.edu
http://mailman12.u.washington.edu/mailman/listinfo/alpine-info
