"Thomas Schmitt" <scdbac...@gmx.net> wrote: > Hi, > > Tom Browder wrote: > > I'm willing to trust published PGP key fingerprints for signers of > > Rakudo downloadable files. > > Do i get it right that you talk about https://rakudo.org/downloads ? > > > Question: How can I get the fingerprint from the downloads? > > The products I download are (1) the file of interest, (2) a PGP > > signed checksums file with various shaX hashes for the file, and > > (3) a separate file containing a PGP signature. > > The "Verify" button at above web page leads to > https://rakudo.org/downloads/verifying > which explains how to use sha256 and gpg2 for verification. > Most importantly it lists the fingerprints of the four "Keys of the > releasers". If gpg2 --verify reports any other fingerprint, then > the .asc file cannot be trusted. > > (It is not overly trustworthy that fingerprints and the signed files > are offered on the same web site. Once the site is compromised, both > can be manipulated by the attacker.)
That's why the page suggests that the developers' also list their fingerprints on their github pages, I suspect. Which they do.
