I was able to verify it with the .sig from gnu.org ftp, along with the info at http://ftp.gnu.org/ about where to obtain the gnu-keyring.gpg file.
A suggestion... In addition to making sure the .sig is copied to your mirrors, I recommend including the gnu-keyring.gpg info (from http://ftp.gnu.org) at http://gcc.gnu.org/mirrors.html instead of just saying "The archives on these mirrors will be signed by one of the following GnuPG keys: ..." and listing the fingerprints (but not providing the actual keys). One more thing... 4.8.0 was signed with an expired key: $ gpg --verify --keyring ./gnu-keyring.gpg ./gcc-4.8.0.tar.gz.sig gpg: Signature made Fri 22 Mar 2013 08:32:29 AM CDT using DSA key ID C3C45C06 gpg: Good signature from "Jakub Jelinek <ja...@redhat.com>" gpg: Note: This key has expired! Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06 Also, I am about to submit a bug ("internal compiler error") I found in 4.8.0/4.8.1, which of course clang has no problem with. -----Original Message----- From: Tobias Burnus [mailto:bur...@net-b.de] Sent: Monday, April 29, 2013 5:25 PM To: Scott Baldwin Cc: gcc@gcc.gnu.org Subject: Re: How am I supposed to verify gcc-4.8.0 download when you provide no .sig file?... Am 29.04.2013 22:14, schrieb Scott Baldwin: > Just downloaded 4.8.0 from one of your mirror sites listed at > [http://gcc.gnu.org/mirrors.html] and would like to verify the file > with GPG. > > Your site says "The archives there will be signed by one of the > following GnuPG keys...", but I see no .sig/.asc file on the mirror > sites (or in the package itself), so how am I supposed to verify the file, exactly? Interestingly, the .sig files are only on the GNU server, e.g. http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/ but not on the GCC server, e.g. ftp://gcc.gnu.org/pub/gcc/releases/gcc-4.8.0/ As the latter is used by the mirrors, it is also not available on the mirrors. Tobias
